SGOS 5.4 - Integrating The ProxySG and ProxyAV Appliances

Blue Coat® Systems
Integration Guide
Integrating the ProxySG and

ProxyAV Appliances
For SGOS 5.4 and AVOS 3.2

Contact Information
Americas:
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
Rest of the World:

Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation:

documentation@bluecoat.com
Copyright© 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this
document may be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and
to the Software and documentation are and shall remain the exclusive property of Blue Coat
Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware Interceptor™,
Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are
trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The
Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®, PolicyCenter®,
PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet
Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and
Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks
contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL
(COLLECTIVELY “BLUE COAT”) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER
TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND
DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE
WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS
OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT,
CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Americas: Rest of the World:

Blue Coat Systems, Inc. Blue Coat Systems International SARL
420 N. Mary Ave. 3a Route des Arsenaux
Sunnyvale, CA 94085 1700 Fribourg, Switzerland
Document Number: 231-03045

Document Revision: 5/2009 Rev. A
ii
Table of Contents
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Stated Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Supported Blue Coat Devices and Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Hardware Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Chapter Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Benefits of the Blue Coat Anti-Malware Solution . . . . . . . . . . . . . . . . . . . . . 2-1

About Web Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Types of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
The Blue Coat Anti-Malware Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Malware Scanning Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
ICAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Response and Request Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Web Malware Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
ProxySG/ProxyAV With Direct Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
ProxySG/ProxyAV in a Closed Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Basic Deployment: One ProxySG to One ProxyAV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Redundant Appliance Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Deployment Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Deployment Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Configuring and Installing the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Configuring and Installing the ProxyAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Configuring the ProxySG and ProxyAV Appliances . . . . . . . . . . . . . . . . . . . 4-1

About the Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Task 1: Prepare the ProxyAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Task 2: Create the ICAP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Task 3: Create Malware Scanning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Configuring ProxyAV Scanning Settings and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Configuring ProxySG Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Task 4: Test the Anti-Malware Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Monitoring ICAP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Displaying ICAP Graphs and Statistics on the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Displaying ICAP Graphs on the ProxySG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Integrating the ProxySG and ProxyAV Appliances iii

Table of Contents
Displaying ICAP Statistical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Monitoring ICAP-Enabled Sessions on the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Displaying Active ICAP-Enabled Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Viewing Statistics on the ProxyAV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Creating Anti-Malware Reports in Blue Coat Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Additional Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1

Improving the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
About Patience Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
About Data Trickling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Configuring ICAP Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Avoiding Network Outages due to Infinite Streaming Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Getting Notified about Detected Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Selecting Alert Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Viewing the Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Implementing Response and Request (Two-Way) ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Task 1: Define the ICAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Task 2: Create an ICAP Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Task 3: Create an ICAP Request Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Creating User-Based ICAP Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
Task 1: Create the ICAP Response Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
Task 2: Create a Virus Scanning Rule (Web Content Layer) . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
Task 3: Enable Web Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Task 4: Create Authorization Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Load Balancing Between Multiple ProxyAV Appliances . . . . . . . . . . . . . . . .7-1

About Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Weighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Creating an ICAP Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Creating Load Balancing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Configuring ProxyAV Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1

About ProxyAV Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Creating ProxyAV Failover Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Configuration Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-1

Conserving Scanning Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Solution A: No-Scan Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Solution B: Scan-Until-Error Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Determining Which File Types to Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
CPL Example: Excluding File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
VPM Example: Excluding File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
CPL Example: Including File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
VPM Example: Including File Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
iv Integrating the ProxySG and ProxyAV Appliances

Table of Contents
Best Practices for PDF Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Avoiding Processing of Cancelled Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
The ProxyAV isn’t Scanning Web Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Users Can’t Access Any Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
ProxySG Runs Out of Memory During Heavy Traffic Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Scans are Taking Too Long . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
My ProxyAV isn’t Getting Virus Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Integrating the ProxySG and ProxyAV Appliances v

Table of Contents
vi Integrating the ProxySG and ProxyAV Appliances

1 Introduction
Stated Purpose
This document provides conceptual information about malware threats, deployment guidelines and
workflows, configuration steps for getting the ProxyAV and ProxySG to communicate with each another,
and best practices to consider when deploying the integrated Blue Coat malware solution. This solution
involves the deployment of Blue Coat ProxyAV appliances in the network to perform malware content
scanning on Web responses and/or requests sent through ProxySG appliances.
This integration guide supplements existing product-specific guides. For details and instructions on each
product, use the context-sensitive online help or refer to the following guides:
• Blue Coat ProxyAV Configuration and Management Guide (version 3.2)

• Blue Coat ProxySG Configuration and Management Suite (version 5.4)
• The product’s installation or quick start guide
You can download these manuals from BlueTouch Online at:
https://support.bluecoat.com/documentation
Audience
The intended audience for this document is current and potential customers seeking to understand the Blue
Coat malware solution. ProxySG and ProxyAV customers deploying an anti-malware solution will benefit
from having configuration information in a single document.
This document assumes you are knowledgeable with basic network concepts and terminology. Basic
familiarity with Blue Coat products is also recommended but not a prerequisite.
Supported Blue Coat Devices and Operating Systems

As of the production of this document, the integration guide covers the following Blue Coat products and
software releases.
Hardware Platforms
ProxySG models: SG200-x (except 200-A), SG210, SG510, SG800-x, SG810, SG8000-x, SG8100
ProxyAV models: AV2000-E, AV400-E, AV210, AV510, AV810
Integrating the ProxySG and ProxyAV Appliances 1-1

Introduction
Software Versions
This guide assumes the latest software versions are installed on the ProxySG (SGOS 5.4) and ProxyAV
(AVOS 3.2). Some of the features (such as ICAP monitoring on the ProxySG) are not available in earlier
versions. If you are consulting this document and your software is more current than the ones listed above,
review the release notes for that release to learn about any new features not yet implemented in this
document.
If a concept or feature is not compatible with a specific AVOS or SGOS release, it is so noted in the
document.
Chapter Reference
This document is structured to be read in its entirety before implementing the AV solution. Deployments
not requiring redundancy can skip chapters 7 and 8.
This document contains the following chapters:
Chapter 1: Introduction
Chapter 2: Benefits of the Blue Coat Anti-Malware Solution
Chapter 3: Deployment
Chapter 4: Configuring the ProxySG and ProxyAV Appliances
Chapter 5: Monitoring ICAP Scanning
Chapter 6: Additional Configuration
Chapter 7: Load Balancing Between Multiple ProxyAV Appliances
Chapter 8: Configuring ProxyAV Failover
Chapter 9: Configuration Best Practices
Chapter 10: Troubleshooting
1-2 Integrating the ProxySG and ProxyAV Appliances

2 Benefits of the Blue Coat Anti-Malware
Solution
This chapter includes conceptual information about malware and describes benefits of using the integrated
Blue Coat anti-malware solution. It includes the following topics:
❐ About Web Malware—on page 2-2
❐ The Blue Coat Anti-Malware Solution—on page 2-4

About Web Malware Benefits of the Blue Coat Anti-Malware Solution
About Web Malware

Although the AV in ProxyAV is an acronym for anti-virus, the ProxyAV does a lot more than scan for
viruses. These appliances offer advanced malware detection at the gateway. By detecting and blocking
viruses, worms, trojans, and spyware, the ProxyAV secures rogue channels that threaten the enterprise
network. The majority of malware comes from two vectors: hidden downloads in popular and trusted Web
sites, and malware distribution through social networking, peer-to-peer (P2P), and Web mail. When the
ProxyAV is integrated with the ProxySG, the Blue Coat solution provides a layered malware defense. You
have the ProxyAV with its malware threat detection and the ProxySG with its extensive Web content
controls. In addition, you have two appliances that have been designed, tested, and manufactured for
compatibility.
How big of a problem is malware? In the last year alone, malware has increased fivefold, with 90 percent
coming from trusted sites. A recent Google study on the prevalence of Web-based malware found 10 percent
of the URLs examined successfully launched automatic installation of malware binaries. Hackers are
constantly creating new attacks. These nefarious techniques use Web and secure Web access because they
are typically permitted for legitimate business purposes. Malicious Web outbreaks cost enterprises millions
of dollars per year in terms of repairing networks and lost productivity.
Types of Malware
Malware is defined as software designed to infiltrate or damage a computer system without the owner's
informed consent. It can be downloaded from Web pages without a user’s knowledge, often piggybacking
on a user’s trust of a known domain.
The following table lists common types of malware.
Malware Description
Adware Software that automatically displays advertisements on a computer
Backdoor A method of bypassing normal authentication, securing remote access to a

computer, obtaining access to plaintext, and so on, while attempting to remain
undetected
Downloader A program that downloads and installs malicious software
MMC Mobile malicious code. Software obtained from remote systems, transferred
across a network, and then downloaded and executed on a local system without
the user’s explicit installation. It can be delivered via visits to a Web site, Web
e-mail, or e-mail with attachments. Examples of MMC include: Scripts, Java
applets, ActiveX, flash animations, Shockwave movies, and macros embedded
within Microsoft Office documents.
Ransomware Software that encrypts data in an unreadable format and then demands payment
in exchange for the decryption key (the ransom)
Rootkit A program designed to take fundamental control of a computer system, without

authorization of the system’s owners and legitimate managers.
Root comes from the UNIX term “root” access, which is equivalent to
administrator access in Windows.

Benefits of the Blue Coat Anti-Malware Solution About Web Malware
Malware Description
Spyware Computer software that is installed surreptitiously on a personal computer to

intercept or take partial control over the user’s interaction with the computer,
without the user’s consent
Trojan horse Software that appears to perform a desirable function but in fact performs
undisclosed malicious functions. A computer worm or virus may be a Trojan
horse.
Virus A computer program that attaches itself to an existing program and can copy
itself and infect a computer without a user’s permission or knowledge
Worm A self-replicating computer program that uses a network to send copies of itself
to other nodes, without any user intervention. Unlike a virus, it does not need to
attach itself to an existing program.

The Blue Coat Anti-Malware Solution Benefits of the Blue Coat Anti-Malware Solution
The Blue Coat Anti-Malware Solution

The Blue Coat ProxySG and ProxyAV appliance solution leverages the benefit of a proxy/cache device
integrated with a powerful scanning server that analyzes Web content for viruses, malware, and spyware
before it is cached, thus preventing penetration into the network.
Firewall
ProxySG ProxyAV
Figure 2-1 ProxySG integrated with a ProxyAV.
The ProxyAV appliance is designed to work specifically with the ProxySG proxy architecture. Each
appliance contains industry-leading technology that communicates together to form a cohesive integration.
All ProxySG and ProxyAV appliances are available in different capacities. Blue Coat provides sizing
information to assist you with determining the correct combination of appliances to deploy. With a proxy
appliance architecture, scalability from a few dozen users to multiple thousands of users is attainable.
The Blue Coat anti-malware solution is designed to prevent malicious code penetration with negligible
network performance impact. Blue Coat achieves this with the ProxyAV software that is designed for
performance and security combined with the power of the ProxySG proxy. If an AV scanner must scan all
cached and uncached content, performance suffers. The Blue Coat AV deployment provides a scan-once,
serve-many benefit when scanning:
• Once an object is cached, it doesn’t need to be scanned again until either the object contents change or
the AV database changes. The AV database is a pattern file that allows anti-virus software to identify
viruses. Whenever the database changes, the ProxyAV needs to rescan any requested objects that are in
the cache, because the new database might know about viruses that the old database didn’t.
• For a non-cacheable object, the ProxyAV scans the object and creates a fingerprint — a secure hash of the
file’s contents. The ProxyAV compares the file’s fingerprint against a database of fingerprints that is
constructed as a result of scanning objects. The object will not be scanned again unless either its
fingerprint changes (indicating the content has changed) or the AV database changes.

Benefits of the Blue Coat Anti-Malware Solution The Blue Coat Anti-Malware Solution
The ProxyAV’s scanning methods and capabilities provide three main benefits:
• Outbreaks are smaller.

• Containment is faster.
• Performance gain is attained by not scanning unchanged objects.
The integration of the ProxyAV with the ProxySG allows you to manage inbound (response) and outbound
(request) communications. The power of the proxies allows you implement malware scanning processes as
follows:
• By customizing ProxySG policy, you determine what application protocols are allowed in your
enterprise, then create policy that determines what type of content is sent for malware scanning. For
example, you might decide GIF files represent a lower risk and instruct the ProxySG to not send them
to the ProxyAV.
• Processing performance is optimized through different configuration options. You can set small and
large object thresholds to differentiate between smaller, common Web objects and larger objects, such
as content streams. Furthermore, a cache timeout is not used to resend files. The ProxyAV retains a
fingerprint, and only resets it when there is a definition update. Only a solution that understands Web
scanning can implement this.
• The final piece includes the user experience. Policy configured on the both the ProxySG and ProxyAV
allows you to determine what happens when an exception (error) occurs. You can allow content to
continue to the client or deny the content. The ProxySG allows you to display patience pages with
custom messages to users when content scans exceed a customizable time limit. Therefore, users are
aware of exactly what is occurring on their desktops, thus reducing the number of IT help desk tickets.
Malware Scanning Engines
The ProxyAV supports the leading malware scanning engines including:
• Kaspersky
• Sophos
• McAfee
• Panda
Blue Coat provides licenses from the above vendors, and you select one vendor for your malware scanning.
When your vendor engine license is about to expire, Blue Coat provides the option to renew it or obtain an
engine license from a different vendor.
ICAP
Blue Coat’s ProxySG and ProxyAV appliances communicate using Internet Content Adaptation Protocol
(ICAP). The ProxySG is the ICAP client, and the ProxyAV is the ICAP server. As the ICAP client, the ProxySG
delivers to the ICAP server the Web content that needs to be scanned. As the ICAP server, the ProxyAV
provides content scanning, filtering, and repair service for Internet-based malicious code. To eliminate

threats to the network and to maintain caching performance, the ProxySG sends objects to the ProxyAV for
checking and saves the scanned objects in its object store. With subsequent content requests, the appliance
serves the scanned object rather than rescanning the same object for each request.
You can scan your data using plain ICAP, secure ICAP, or both. Plain ICAP is useful for scanning
non-confidential data (HTTP); secure ICAP sends data that may be confidential (HTTPS) through a secure
data channel. Secure ICAP is available beginning with SGOS 5.3 and AVOS 3.2.
The Blue Coat solution uses an enhanced ICAP+ version that offers improved performance, reliability,
integrated reporting, and detailed error/exception handling and reporting.
Response and Request Services
Two types of ICAP services are available: response and request.

Most Web malware deployments involve the use of a response service. The response component refers to the
client-requested information that is pending entrance to the cache and thus the network. That is, the
response contains Web objects from the origin content server. Before this content is allowed into the
network, the ProxyAV scans it for malicious code. If the content is verified as clean (and also allowable by
corporate policy), the client receives the Web objects (that comprise Web pages). If malware scanning detects
malicious content, the response is quarantined, the objects are not cached, the event is logged, and the client
receives a message indicating that a virus was found.
A request service is typically used to scan documents and Web mail attachments before users post them to
file servers (such as Gmail and HotMail servers), thus preventing users from propagating malicious content
they might unknowingly have on their desktops.
The ProxySG refers to these ICAP services as REQMOD (request modification) and RESPMOD (response
modification).
Web Malware Data Flow
Through configuration options and policy, you control and track (log) the various aspects of Web malware
scanning, including the types of files scanned or ignored, exceptions for groups or protocols, data trickling,
the type of user feedback messages, and more. The following diagram illustrates, at a high level, the data
flow in the Blue Coat Web anti-malware solution.

Benefits of the Blue Coat Anti-Malware Solution The Blue Coat Anti-Malware Solution
Figure 2-2 Basic Web malware data flow.


3 Deployment
This chapter illustrates several deployment topologies for incorporating one or more ProxySG and
ProxyAV appliances in your network. It also includes high-level guidelines and workflows for physically
installing the appliances into your network. It includes the following topics:
❐ ProxySG/ProxyAV With Direct Internet Access—on page 3-2
❐ ProxySG/ProxyAV in a Closed Network—on page 3-3
❐ Redundant Appliance Topologies—on page 3-5
❐ Deployment Guidelines—on page 3-7
❐ Deployment Workflow—on page 3-8

ProxySG/ProxyAV With Direct Internet Access Deployment
ProxySG/ProxyAV With Direct Internet Access

In most enterprises, the ProxySG and ProxyAV are deployed with direct access to the Internet. You can
deploy the appliances in different combinations: one ProxySG to one ProxyAV; one ProxySG to multiple
ProxyAV appliances; multiple ProxySG appliances to one ProxyAV; or multiple ProxySG appliances to
multiple ProxyAV appliances. The ProxySG has the capability to load balance Web scanning between
multiple ProxyAV appliances or to designate a sequence of ProxyAV appliances as failover devices should
the primary ProxyAV go offline.
Work with a Blue Coat sales engineer to determine the appropriate sizing for your enterprises.
The following diagram illustrates the ProxySG with ProxyAV architecture.
Figure 3-1 Blue Coat appliances deployed with direct Internet access for updates.
The admin PC is used to perform configuration and policy changes on any Blue Coat appliance.

Deployment ProxySG/ProxyAV in a Closed Network
ProxySG/ProxyAV in a Closed Network

For heightened security, some network architectures (particularly in government or military environments)
prevent devices from having direct Internet access. The following diagram illustrates a closed network
topography.
Legend:
1: Retrieve the latest AV appliance firmware update file.
2: Retrieve the latest AV vendor pattern files. Use a script to prepare the files (remove absolute links, for
example).
3: Copy the files to an internal server connected to the AV appliance.
4: Configure the AV appliance to retrieve the update files from the server (HTTP/URL).
Figure 3-2 Blue Coat appliances deployed in a closed network.

Basic Deployment: One ProxySG to One ProxyAV Deployment
Basic Deployment: One ProxySG to One ProxyAV

This basic deployment has one ProxySG and one ProxyAV and is suitable for a small enterprise or network
segment.
Figure 3-3 One ProxySG to one ProxyAV.
This basic deployment is the easiest type of topology to configure and because it doesn’t require redundant
appliances to be purchased, is the least expensive to deploy. However, due to its lack of redundancy, the
basic deployment has the following limitations:
• No Web malware scanning if the ProxyAV goes down. Depending on the policy you implement on the
ProxySG, when the ProxyAV fails, users either receive unscanned content or notices that the content
cannot be delivered.
• No load balancing for ICAP scanning if the ProxyAV gets overwhelmed with ICAP requests.
• No failover if the ProxySG goes down.

Deployment Redundant Appliance Topologies
Redundant Appliance Topologies

Larger enterprises may require redundancy in the network: multiple ProxySG and/or multiple ProxyAV
appliances. Redundant appliances address the limitations of the single-ProxyAV/single-ProxySG
deployment. The ProxySG can load balance Web scanning between multiple ProxyAV appliances or
designate a sequence of ProxyAV appliances as failover devices should the primary ProxyAV go offline.
Similarly, secondary ProxySG appliances can be configured as failover devices should the primary ProxySG
go down or can provide further proxy support in the network.
The most common type of redundant topology in a Blue Coat integrated deployment is multiple ProxyAV
appliances with a single ProxySG.
Figure 3-4 One ProxySG to multiple ProxyAV appliances.
For configuration details, see:

❐ Chapter 7: Load Balancing Between Multiple ProxyAV Appliances
❐ Chapter 8: Configuring ProxyAV Failover

Redundant Appliance Topologies Deployment
Enterprises who need ProxySG failover, without redundant ProxyAV appliances, might use the following
type of topology.
Figure 3-5 Multiple ProxySG appliances to one ProxyAV
Enterprises with hundreds to thousands of users require the processing power of multiple ProxySG and
ProxyAV devices, working together to provide efficient scanning power plus failover capability.
.
Figure 3-6 Multiple ProxySG appliances to multiple ProxyAV appliances.
For information on configuring failover on the ProxySG, refer to the ProxySG Configuration and Management
Suite (Volume 1: Getting Started and Volume 5: Advanced Networking).

Deployment Deployment Guidelines
Deployment Guidelines
When planning the installation of your Blue Coat appliances, consider the following deployment
guidelines:
• Blue Coat recommends that all ProxySG appliances reside on the same subnet as the ProxyAV
appliances they are clients to. This includes using multiple ProxySG appliances sharing multiple
ProxyAV appliances. Make sure to keep the ProxyAV physically and logically close to the ProxySG.
Although you can put the ProxyAV in California and the ProxySG in New York, performance will
suffer. It is recommended that the ProxyAV be on the next-hop VLAN.
• The ProxyAV must have access to the Internet for system and pattern file updates. In a closed network,
you’ll need to download these files from a system that has Internet access and then copy these files to
an internal server connected to the AV appliance; the ProxyAV must be configured to retrieve the
update files from this server. See "ProxySG/ProxyAV in a Closed Network" on page 3-3.
• The ProxyAV can use the ProxySG as a proxy for downloading pattern file and firmware updates, but
this is not required.
• The ProxySG can be deployed in explicit or transparent mode. In explicit mode, each client Web
browser is explicitly configured to use the ProxySG as a proxy server. In transparent mode, the client
Web browser does not know the traffic is being processed by a machine other than the origin content
server. Transparent proxy requires that you use a bridge, a Layer-4 switch, or Web Cache
Communication Protocol (WCCP) to redirect traffic to the ProxySG.

Deployment Workflow Deployment
Deployment Workflow
Before installing the ProxyAV, you should install the ProxySG in the network and verify it is functioning
properly as a secure Web gateway. Once you have done tests to determine that the ProxySG is performing
as expected, you can proceed with the ProxyAV installation and configuration.
Configuring and Installing the ProxySG
The following procedure provides high-level steps for performing the initial configuration and physical
installation of the ProxySG.
Configure and Install the ProxySG
Step 1 With a serial console connection, run Novice ProxySG users may need to refer to the ProxySG
the initial setup wizard to configure Quick Start Guide for specific steps.
the ProxySG with basic network
settings.
Step 2 Rack mount the ProxySG and See the ProxySG Quick Start Guide for specific steps.
connect the appliance to the
network.
Step 3 Register and license the ProxySG. To register and license your ProxySG:
Your ProxySG ships with a a. Open a Web browser and navigate to:
temporary (60-day) license. You can https://support.bluecoat.com/licensing
register your appliance at any time b. Enter your BlueTouch Online credentials.
during that period.
c. Follow the instructions to register your appliance and
download a license.
Step 4 Log in to the ProxySG Management a. Open a Web browser.

Console. b. Enter the IP address you assigned to the ProxySG
followed by port number 8082. For example:
https://192.0.2.2:8082
Step 5 Verify a successful configuration. In the Management Console:

a. Select Statistics > Summary > Efficiency. Verify that each
configured interface is up.
b. Click the Device tab. Verify connectivity to the DNS

server and other external devices.
c. Make sure the ProxySG health status is green (OK).

Deployment Deployment Workflow
Configure and Install the ProxySG
Step 6 Set the Explicit HTTP proxy service a. Select Configuration > Services > Proxy Services.
to intercept, and add a rule in the
Web access layer to allow this traffic.
b. Open the Visual Policy Manager (Configuration > Policy

> Visual Policy Manager > Launch) and create a Web
access layer that allows the Explicit HTTP service name.
c. Install the policy.
Step 7 Verify that the ProxySG is seeing a. Make sure there are clients running traffic.
network traffic. Note: The browser must be explicitly or transparently
redirected to the ProxySG appliance.
b. Select Statistics > Sessions > Active Sessions.
c. Click Show. The Proxied Sessions table should list the
active sessions of current traffic.
Step 8 If necessary, upgrade to SGOS 5.4. Select Maintenance > Upgrade.

This Integration Guide assumes the For details, refer to the ProxySG Configuration and
ProxySG is running SGOS 5.4. Management Suite. See Volume 9: Managing the Blue Coat
ProxySG Appliance, Chapter 3: Maintaining the ProxySG.

Deployment Workflow Deployment
Configuring and Installing the ProxyAV
The following procedure provides high-level steps for performing the initial configuration and physical
installation of the ProxyAV. The ProxyAV installation should be done after the ProxySG installation.
Configure and Install the ProxyAV
Step 1 Rack mount the ProxyAV, insert the See the ProxyAV Quick Start Guide for specific steps.
disk drive(s), connect the appliance
to the network, and power on the
ProxyAV.
Step 2 Configure the ProxyAV with basic Use a serial console connection or the buttons on the
network settings. ProxyAV front panel.
Step 3 Log in to the ProxyAV Management a. Open a Web browser.

Console. b. Enter the IP address you assigned to the ProxyAV
followed by port number 8082. For example:
https://192.0.2.3:8082
Step 4 Activate the license on the a. Select Licensing.

appliance. b. Click Register.
c. Enter your WebPower (or BlueTouch Online)

credentials.
d. Enter your activation code from the e-mail received
from Blue Coat.
e. Click Register ProxyAV.
Step 5 If necessary, upgrade to AVOS 3.2. a. Select Firmware Update.

This Integration Guide assumes the
ProxyAV is running AVOS 3.2.
Now that the two Blue Coat appliances are installed on the same subnet, you can configure them to work
together. Proceed to the next chapter.
3 - 10 Integrating the ProxySG and ProxyAV Appliances

4 Configuring the ProxySG and ProxyAV
Appliances
This chapter provides the configuration steps required to integrate the ProxySG and ProxyAV to perform
Web malware scanning. It includes the following topics:
❐ About the Tasks—on page 4-2
❐ Task 1: Prepare the ProxyAV—on page 4-3
❐ Task 2: Create the ICAP Service—on page 4-4
❐ Task 3: Create Malware Scanning Policy—on page 4-8
❐ Task 4: Test the Anti-Malware Policy—on page 4-14

About the Tasks Configuring the ProxySG and ProxyAV Appliances
About the Tasks

As described in Chapter 2, there are two types of anti-malware scanning services: response and request. The
most common deployment is scanning incoming data and downloads (responses to users’ requests), which
requires a response service. The tasks in this section describe this deployment.
Implementing the Blue Coat Web anti-malware scanning solution requires the following tasks:
Task Description Section Procedure
1 On the ProxyAV, specify the ICAP service name “Task 1: Prepare the ProxyAV” on page 4-3
and configure secure ICAP (if desired).
2 On the ProxySG, create an ICAP response “Task 2: Create the ICAP Service” on page 4-4
service to communicate with the ProxyAV.
Response services scan Web content requested
by clients (users).
3 On the ProxyAV, configure scan settings. On “Task 3: Create Malware Scanning Policy” on
the ProxySG, create policy for the ICAP service. page 4-8
4 Make sure the policies are working correctly. “Task 4: Test the Anti-Malware Policy” on
page 4-14

Configuring the ProxySG and ProxyAV Appliances Task 1: Prepare the ProxyAV
Task 1: Prepare the ProxyAV

The following steps prepare the ProxyAV for communication with the ProxySG. Note that the default
settings work fine in most situations.
Prepare the ProxyAV
Step 1 Log in to the ProxyAV Management

Console.
Step 2 Name the ICAP service; you will use a. Select ICAP Settings.
this name to help identify the b. In the Antivirus Service Name field, enter a name that
ProxyAV when configuring the identifies the service.
ProxySG.
c. Click Save Changes.
Step 3 (Optional) Use a secure ICAP a. Select ICAP Settings.

connection between the ProxyAV b. In the ICAP Server Ports area, select secure.
and the ProxySG. This is a two-step
In most deployments, the default port (11344) is
process that requires a configuration
acceptable. If you change the port, you must specify the
selection on the ProxySG, which is
same port during the ProxySG configuration in Task 2.
performed during Task 2.
c. Accept the default keyring or select a keyring you have
Note: This feature requires AVOS created.
3.2.x and SGOS 5.3.x and later
Note: To create a keyring, go to Advanced > SSL
releases.
Keyrings on the ProxySG.
d. Click Save Changes.
Step 4 Save the settings. Click Save Changes.

Task 2: Create the ICAP Service Configuring the ProxySG and ProxyAV Appliances
Task 2: Create the ICAP Service

The ProxySG must be configured to communicate with the ProxyAV as an ICAP client; once this is
configured, before caching and serving a response from the origin content server, the ProxySG forwards the
first portion of the Web object to the ProxyAV to determine if malicious code is present.
Create the ProxySG ICAP Service
Step 1 Log in to the ProxySG Management

Console.
Step 2 Create a new ICAP service. a. Select Configuration > External Services > ICAP > ICAP
Services.
b. Click New.
c. Assign a descriptive name to the service.

d. Click OK. The new ICAP object displays in the services
list.
Step 3 Edit the new service. a. Highlight the new ICAP service name.
b. Click Edit. The Edit ICAP Service dialog displays.

Configuring the ProxySG and ProxyAV Appliances Task 2: Create the ICAP Service
Step 4 Configure the service a. In the Service URL field, enter the URL of the ProxyAV.
communication options. The URL includes the scheme, the ProxyAV’s hostname
or IP address, and the ICAP service name. For example:
icap://10.10.10.10/avscan
b. Maximum number of connections specifies the maximum
possible connections at any given time that can occur
between the ProxySG and the ProxyAV. Do not change
this value—use the Sense settings button to get the correct
value that your platform supports.
c. In the Connection timeout field, enter the number of
seconds the ProxySG waits for replies from the
ProxyAV. The default timeout is 70 seconds, but you
will likely want it set to a higher value because large
(several hundred MB) archives can easily take more
than 70 seconds. If the ProxyAV gets a large file that
takes more then the configured timeout to scan, the
ProxySG will close the connection and the user will not
get the file. The value you enter for the timeout is related
to the maximum file size configured on the ProxyAV;
larger file sizes require longer to scan so the connection
timeout should be higher. If you allow only 100 MB file
sizes, 70 seconds would be a sufficient timeout value.
But if you allow 2 GB files, a timeout value of 70 would
be too low. The range is 1 to 65535.
d. Select Defer scanning at threshold to set the threshold at
which the ProxySG defers the oldest ICAP connection
that has not yet received a full object. By default, the
deferred scanning threshold is disabled when an ICAP
service is created. When enabled, the defer threshold
scanning defaults to 80 percent. For more information
about scanning deferral, see "Avoiding Network
Outages due to Infinite Streaming Issues" on page 6-5.
e. Select Notify administrator when virus detected to send
an e-mail to the administrator if the ICAP scan detects a
virus. The notification is also sent to the Event Log and
the Event Log e-mail list. Note that the ProxyAV also
has settings for notifying administrators when a virus is
detected; this configuration is explained in "Getting
Notified about Detected Viruses" on page 6-7.
f. Select Use vendor’s “virus found” page to display the
default vendor error exception page to the client instead
of the ProxySG exception page.

Task 2: Create the ICAP Service Configuring the ProxySG and ProxyAV Appliances
Step 5 Configure service ports for plain You can enable one or both types of ICAP connections at the
ICAP (Step 5a) and/or secure ICAP same time.
(Step 5b).
Step 5a Configure service ports for plain a. Select This service supports plain ICAP connections. Use
ICAP. plain ICAP when you are scanning plain data (HTTP).
In this case, if the HTTPS proxy is enabled on the
ProxySG, the data is decrypted first on the ProxySG and
then sent to the ICAP server.
b. In the Plain ICAP port field, enter a port number. The
default port is 1344.
Step 5b Configure service ports for secure a. Select This service supports secure ICAP connections to
ICAP if you are scanning sensitive or use secure ICAP.
confidential data (HTTPS). b. In the Secure ICAP port field, enter a port number. The
default port is 11344.
c. Make sure that you select a valid SSL profile for secure
ICAP in the SSL Device Profile field. This associates an
SSL device profile with the secure ICAP service.
Step 6 Select the ICAP method. Select response modification.
Step 7 Determine whether you need to use • If you are using file scanning policies based on file
the preview feature. extensions on the ProxyAV, enter 0 in the Preview size
(bytes) field, and select enabled. With a 0 bytes preview
size, only response headers are sent to the ProxyAV; more
object data is only sent if requested by the ProxyAV.
or
• If you have enabled the Kaspersky Apparent Data Types
feature on the ProxyAV, enter a value (512 is
recommended) in the Preview size (bytes) field, and select
enabled. The ProxyAV reads the object up to the specified
byte total, and then either continues with the transaction
(that is, receives the remainder of the object for scanning)
or opts out of the transaction.
or
• Unselect enabled if the above two situations don’t apply to
you; do not use the preview option.

Configuring the ProxySG and ProxyAV Appliances Task 2: Create the ICAP Service
Step 8 Determine the maximum number of a. Click Sense settings.

connections that your b. Click OK to confirm.
ProxySG/ProxyAV can support.
c. Click OK to confirm your changes. If the Sense settings

command was able to retrieve the settings from the
ProxyAV, you will see the following message:
d. Click OK.
Step 9 Refresh your browser to see the a. Click your browser’s refresh button.
maximum number of connections b. Edit the response service you created and look at the
that were “sensed.” value that was entered for Maximum number of
connections.
At this point, the ProxyAV and ProxySG are configured to communicate with one another. To verify that the
two appliances are communicating, look at the ICAP service health check on the ProxySG.
Verify Communication Between the ProxySG and ProxyAV

Console.
Step 2 Check the status of the ICAP service. a. Select Statistics > Health Checks.
b. For the icap.response service, look at the State. If the
appliances are communicating, the State looks like this:
If the appliances aren’t communicating, the State looks

like this:
If the ICAP health check failed:
• Go through Tasks 1 and 2 again and verify that you have followed the configuration steps properly.
• Make sure the ProxySG and ProxyAV are on the same subnet.
• Verify that the ProxySG and ProxyAV have the same ICAP service ports. On the ProxyAV, go to ICAP
Settings. On the ProxySG, go to Configuration > External Services > ICAP > Edit.
• Make sure the ProxyAV has a valid license.

Task 3: Create Malware Scanning Policy Configuring the ProxySG and ProxyAV Appliances
Task 3: Create Malware Scanning Policy

Although the ProxySG and ProxyAV can now communicate with each other, the ProxySG does not yet
know what traffic to send to the ProxyAV. By the term policy, Blue Coat means any configuration—either on
the ProxySG or the ProxyAV—that impacts malware scanning, including results. Implementing policy
involves configurations on both Management Consoles.
• ProxyAV Management Console: Determine maximum scannable file sizes; when exceptions occur,
determine what is sent to the ProxySG; ignore files with specified file extensions.
• ProxySG Management Console: In most enterprise deployments, the default is to scan all Web sites and
objects by default, and create exception rules for specific groups or content types and locations as
required. Use the Visual Policy Manager (VPM) tool to define the scanning policy; advanced users can
use Content Policy Language (CPL).
Before you begin implementing policy, create a plan that answers the following questions:
• What sites are not to be scanned (for example: intranet sites)?

• What objects are not to be scanned (for example: GIF files)?
• What policy is implemented if the ProxyAV becomes unavailable (for example: deny or allow all
requests not scanned)?
• What message is displayed when a virus is found?

• What policy is implemented when the object could not be scanned (for example, password protected
files cannot be scanned)? Is this policy specific to users or groups of users?
Configuring ProxyAV Scanning Settings and Policies
The ProxyAV Management Console provides several options that allow you to set scanning thresholds and
determine what happens when an exception—or event outside a normal scan process—occurs.
Configure Scanning Settings on the ProxyAV

Console.
Step 2 Display the Scanning Behavior page. a. Select Antivirus.

b. Click the Scanning Behavior link.
Step 3 Enable heuristic parameters. When the Heuristic Parameters option is enabled, the AV
appliance learns about traffic patterns on your network and
adjusts accordingly to increase performance. After an initial
learning period, the ProxyAV should be able to accelerate
about 15 to 30 percent of the network’s traffic. The learning
process restarts whenever a new virus pattern file or an
updated scanning engine is downloaded.
Because of the benefits it offers, Blue Coat recommends that
you leave Heuristic Parameters at its default setting
(enabled).

Configuring the ProxySG and ProxyAV Appliances Task 3: Create Malware Scanning Policy
Step 4 Enable/disable extended options. Extended options

The option names in the Extended options section vary
according the AV vendor engine you are using. Most
options are associated with spyware/malware. Regardless
of the option name, the behavior is as follows:
Enabled: Scanning stops after the first instance of a virus or
spyware. For Kaspersky, Detect Adware is enabled by
default. It can be deselected, but it cannot be selected
without selecting Detect Spyware.
Disabled: Scanning stops only after the first instance of a
virus, not spyware.
Step 5 Define a file scanning timeout value. File scanning timeout

Some files, while not viruses themselves, are designed to
disable a virus scanner. Although these files cannot disable
a ProxyAV, they can use up system resources and slow
down overall throughput. Defining a timeout value allows
the ProxyAV to reclaim those resources. Blue Coat
recommends that you use the default value (800 seconds). If
long scans are a problem, implement the best practices for
conserving scanning resources discussed in Chapter 9,
“Configuration Best Practices.”

Step 6 Impose limits on the file sizes and • Maximum individual file size: An individual file size
numbers allowed to be scanned. cannot exceed the specified size. This limitation also
applies to each file within an archive. Dependent upon
RAM and disk size of different AV appliance platforms,
the maximum individual file size that can be scanned is
as follows:
– Blue Coat AV210: 768 MB
– Blue Coat AV510: 768 MB
– Blue Coat AV810: 2 GB
• Maximum total uncompressed size: An uncompressed

file or archive cannot exceed the specified size. The
maximum is:
– Blue Coat AV210: 3GB
• Maximum total number of files in archive: An archive

cannot contain more than the specified number of files.
The maximum is 100,000.
• Maximum archive layers: An archive cannot contain

more than the specified number of layers. The
maximum number of layers for each AV engine is:
– Panda: 30
– McAfee: 300
– All others: 100
The ProxyAV scans objects unless the file exceeds any of the
above limitations.
Step 7 Define how the ProxyAV behaves Policies for Antivirus exceptions:
when a timeout or other scanning
error occurs. • If Block is selected for an error type, the file is dropped.
This is the default for all options.
• If Serve is selected, the file is passed on to the client,

unscanned.

Configuring Policies for File Types
The AV appliance is able to identify various file types, including graphics (such as JPG and GIF files), Adobe
PDF files, Microsoft application files, and archive files. Furthermore, the AV appliance recognizes all files
within an archived or compound Microsoft file. If any individual files in these compound files are specified
to be blocked, the entire compound file is blocked. For example, a ZIP file contains Word files and JPG files.
By policy, Word files are allowed, but JPG files are to be blocked. Therefore, the entire ZIP file is blocked.
The Apparent Data Types feature allows you to determine what is blocked, scanned, and served unscanned,
based on file contents. When this feature is enabled, even if an EXE file is renamed with an “innocent” file
extension (such as JPG), the ProxyAV will inspect the file contents and determine that the file is actually an
executable file and will apply appropriate policy for EXE files. This option is available only if you have
selected the Kaspersky or Sophos AV engine.
Configure Scanning Behavior Based on File Contents
Step 1 Enable inspection of file contents. a. On the Scanning Behavior page, click the Policies for file
types link. The Policies For File Types page displays.
The Apparent Data Types option is at the top.
b. Select Enabled.
Step 2 Enable other options. • (Kaspersky only) Select True type of ... container to
enable recognition of individual files in compound files.
If this option is enabled, when an unknown file is
detected within a container, the unknown policy is
applied to the entire container file. If this option
disabled, then unknown files within containers are
scanned.
• (Sophos only) Select Detect weak types to enable

recognition of file types that otherwise might be
difficult for the ProxyAV to identify with 100 percent
confidence.
Step 3 Specify policy for each file type. For each file type, select one of the following:
• Don’t scan: The file is served back to the ProxySG

without malware scanning.
• Scan: The ProxyAV scans the object for malicious

content and returns the content or modified response to
the ProxySG.
• Block: No scanning occurs and the ProxyAV returns a

response to the ProxySG that the file was blocked (code
type: file_type_blocked).
Integrating the ProxySG and ProxyAV Appliances 4 - 11

Configure Scanning Behavior Based on File Contents
To accelerate the scanning process, you can specify scanning behavior based on file name extension. You
can block certain file extensions (ones that are notorious for containing viruses) or choose to never scan
certain file types (low-risk ones that are unlikely to contain viruses). Although you can configure file
extension scanning policy on either appliance, it is preferable to configure this type of policy on the
ProxySG. That way, the ProxySG doesn’t waste resources sending files to the ProxyAV that you don’t want
scanned. If you configure the file extension policy on the ProxyAV, the ProxySG will send all file types to
the ProxyAV, and the ProxyAV policy determines which files to scan; this method isn’t as efficient.
The procedure below explains how to configure scanning behavior based on file extensions. For
instructions on configuring file extension policy on the ProxySG, see Chapter 9, “Configuration Best
Practices.”
Note Although file extension scanning policy can increase performance, it can present security risks.
Unlike the Apparent Data Type feature, the File Extensions feature does not inspect the file
contents, so it is possible to disguise an EXE virus with an apparently innocuous file extension (such
as TIF).
Configuring Scanning Behavior Based on File Extensions
Step 1 Indicate which file extensions to a. On the Scanning Behavior page, click the Policies for file
block and not serve to the client. types link. The Policies For File Types page displays.
Locate the File extensions section.
b. In the Block files having extensions field, enter each file

extension that should be blocked, separated by semi-
colons. For example:
.vbs; .exe
Step 2 Indicate which file extensions c. In the Don’t scan files having extensions field, enter each
needn’t be scanned because they are file extension that you don’t want to be scanned,
unlikely to contain viruses; these file separated by semi-colons. For example:
types will be served to the client .gif; .tif
without any attempt at scanning.
Configuring ProxySG Policy
Use the Visual Policy Manger (VPM) to configure policy on the ProxySG.
Configure the ICAP Response Policy

Console.

Step 2 Launch the VPM. a. Select Configuration > Policy > Visual Policy Manager.
b. Click Launch. The VPM appears in a new window.
Step 3 Create a Web content layer. a. Select Policy > Web Content Layer.
b. Assign a descriptive name to the layer (for example,
AVresponse).
c. Click OK.
Step 4 Create an action for the rule. a. Right-click the Action column; select Set. The Set Action
Object dialog displays.
b. Click New.
c. Select Set ICAP Response Service. The Add ICAP
Response Service Object dialog displays.
Step 5 Configure the response service a. Select Use ICAP response service.
object. b. In the Available Services list, select the response service
(created in Task 2) and click Add.
c. Select Deny the client request. This option doesn’t serve
Web content when an error occurs during processing
(for example, if the ProxyAV is down and scanning
cannot be completed). The alternative (Continue without
further ICAP response processing) is less secure, but it
doesn’t block network access if the ICAP server goes
down.
d. Click OK; click OK again to add the object.
Step 6 Install the policy. a. Click Install Policy.

b. Click OK.
c. Close the VPM window.

Task 4: Test the Anti-Malware Policy Configuring the ProxySG and ProxyAV Appliances
Task 4: Test the Anti-Malware Policy

Before proceeding with further configuration, test the basic deployment to verify the ProxyAV is scanning
content, detecting viruses, and preventing intrusion.
Test the Policies

Console.
Step 2 The ProxyAV home page displays If the home page is not already displayed, click Home.
statistics about the number of files
scanned and number of viruses
caught.
Step 3 Confirm that the ProxyAV is Look at the top of the ProxyAV home page:
scanning files.
The Files Scanned value should increment as clients make

Web requests. (The browser must be explicitly or
transparently redirected to the ProxySG appliance.)
Step 4 Verify that the ProxyAV is a. Select Advanced > Detailed stats > Requests history.
configured to log ICAP requests. b. Make sure that the Collect last ___ requests field
(You will check the log history later contains a value greater than 0 (zero).
to make sure the test worked.)
c. Click Save Changes.

Console.
Step 6 Prepare the ProxySG for test a. Select Configuration > Access Logging > General >
validation by enabling access Default Logging.
logging. b. Enable the Enable Access Logging checkbox.
c. Click Apply.
Step 7 Display the log, so that log entries a. Select Statistics > Access Logging > Log Tail.
can be viewed during testing. b. Click Start Tail.
Step 8 Request an “infected” test file. a. Open a browser that is either explicitly or transparently
redirected to the ProxySG.
Note: The file is not actually infected b. Go to http://www.eicar.org.
but has a virus signature that
c. Click the Anti-Malware Testfile link.
identifies it as infected for testing
purposes. d. Read the information about the test files, and select one
of the files to download (such as eicar.com).

Configuring the ProxySG and ProxyAV Appliances Task 4: Test the Anti-Malware Policy
Test the Policies
Step 9 Confirm that you were not provided a. A page should display indicating that the ProxyAV has
with the “infected” file. detected a virus in the file, and that the file has been
dropped.
Step 10 Check the ProxySG access log. a. Go to the ProxySG’s Access Log Tail window.
b. Verify that the access log entry for the eicar file contains
an entry for virus detection.
2009-03-12 17:39:51 382 10.9.16.75 - - virus_detected PROXIED "none"
http://www.eicar.org/anti_virus_test_file.htm 200 TCP_DENIED GET
text/html;%20charset=%220%22 http www.eicar.org 80
/download/eicar.com.txt - txt "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 10.9.16.76 1000 383 "EICAR
test file"
Step 11 Check the ProxyAV ICAP request a. Go to the ProxyAV browser window.
history. b. Select Advanced > Detailed stats > Requests history.
c. Click Refresh Now.
d. Locate the request for the eicar file.
e. Verify that the Result field contains VIRUS.
Step 12 Request the same “infected” test file a. Request the same “infected” test file.
and verify that ProxySG doesn’t b. Go to the ProxyAV Requests History window.
send a previously-scanned object to
c. Click Refresh Now and verify that there is NOT a second
the ProxyAV since the response for
request for the eicar file. (Since the response for the
the object is now in the ProxySG’s
object was served from the ProxySG cache, it should not
cache.
have been sent to the ProxyAV for scanning.)

Task 4: Test the Anti-Malware Policy Configuring the ProxySG and ProxyAV Appliances

5 Monitoring ICAP Scanning
This chapter describes different ways to monitor ICAP scanning — on the ProxySG, on the ProxyAV, and
in Blue Coat Reporter. It includes the following topics:
❐ Displaying ICAP Graphs and Statistics on the ProxySG—on page 5-2
❐ Monitoring ICAP-Enabled Sessions on the ProxySG—on page 5-5
❐ Viewing Statistics on the ProxyAV—on page 5-8
❐ Creating Anti-Malware Reports in Blue Coat Reporter—on page 5-10

Displaying ICAP Graphs and Statistics on the ProxySG Monitoring ICAP Scanning
Displaying ICAP Graphs and Statistics on the ProxySG

On the ProxySG, you can display a variety of ICAP statistics in bar chart form as well as in a statistical table.
Table 5-1 defines the ICAP statistics that the ProxySG tracks for each ICAP service and service group.
Note ICAP monitoring on the ProxySG requires SGOS 5.4 or higher.
Table 5-1 ICAP Statistics
Statistic Definition
Plain Requests ICAP scanning transactions that are not encrypted
Secure Requests ICAP scanning transactions that are encrypted and tunneled over SSL
Deferred Requests ICAP scanning transactions that have been deferred until the full object has been
received
Queued Requests ICAP scanning transactions that are waiting until a connection is available
Successful Requests ICAP scanning transactions that completed successfully
Failed Requests ICAP scanning transactions that failed because of a scanning timeout, connection
failure, server error, or a variety of other situations
Bytes Sent Bytes of ICAP data sent to the ICAP service or service group
Note: Bytes Sent does not include secure ICAP traffic.
Bytes Received Bytes of data received from the ICAP service or service group
Plain Connections Number of connections between the ProxySG and the ProxyAV across which
plain ICAP scanning requests are sent
Note: This statistic is not tracked for service groups.
Secure Connections Number of connections between the ProxySG and the ProxyAV across which
encrypted ICAP scanning requests are sent
Note: This statistic is not tracked for service groups.
Displaying ICAP Graphs on the ProxySG
ICAP graphs can be used as diagnostic and troubleshooting tools. For instance, if the Active Requests graph
shows excessive queued ICAP requests on a regular basis, this may indicate the need for a higher capacity
ProxyAV.
Display ICAP Graphs on the ProxySG

Console.

Monitoring ICAP Scanning Displaying ICAP Graphs and Statistics on the ProxySG
Display ICAP Graphs on the ProxySG
Step 2 Select Statistics > ICAP. The ICAP statistics screen displays.
Step 3 Choose what you want to graph. Choose one of the following:
Step 4 Select the time period to graph. From the Duration drop-down list, choose from Last Hour,
Last Day, Last Week, Last Month, or Last Year.
Step 5 Select the type of graph. Select one of the following tabs:
Active Requests — Plain, secure, deferred, and queued
active ICAP transactions (sampled once per minute)
Connections — Plain and secure ICAP connections
(sampled once per minute)
Completed Requests — Successful and failed completed
ICAP transactions
Bytes — Bytes sent to the ICAP service and received from
the ICAP service
Each statistic displays as a different color on the stacked bar
graph. By default, all relevant statistics are displayed.
Step 6 Select the name of what you want to In the Name column in the table beneath the graph, select
graph. one of the following:
• Select the service name.

• Select the service group name.
• Select the Totals row (graphs all services or service
groups)
Step 7 (Optional) Disable checkboxes For example:

next to any statistics you don’t
want displayed on the graph.
Additional Information
• While the ICAP statistics screen is displayed, you can view new graphs by selecting different services,
service groups, time periods, or graph types.

Displaying ICAP Graphs and Statistics on the ProxySG Monitoring ICAP Scanning
• Graphs automatically refresh every minute. This may be noticeable only on graphs with the Last Hour
duration.
• To see the actual statistics associated with a bar on the graph, hover the mouse pointer anywhere on the
bar. A box showing the statistics and total appears at the mouse pointer.
Displaying ICAP Statistical Data
If you are more interested in the data than in the graphs, the ICAP statistics screen displays this information
as well; beneath the graph is a concise table that displays the number of successful and failed requests and
number of bytes sent and received for each service or service group during the selected time period. The
table also calculates totals for each statistic across all services or service groups.
Display ICAP Statistical Data
Step 1 Select Statistics > ICAP. The ICAP statistics screen displays.
Step 2 Choose what you want to graph. Choose one of the following:
Step 3 Select the time period to graph. From the Duration drop-down list, choose from Last Hour,
Last Day, Last Week, Last Month, or Last Year.
Step 4 Review the statistics. For the time period you selected, the ProxySG displays
statistics for individual services as well as totals for all
services.

Monitoring ICAP Scanning Monitoring ICAP-Enabled Sessions on the ProxySG
Monitoring ICAP-Enabled Sessions on the ProxySG

For detailed information about active and errored sessions that have ICAP scanning enabled, view the
Active Sessions and Errored Sessions pages. You can filter the session list to display only the ICAP-enabled
sessions, so that you can easily view the ICAP state of each session (transferring, deferred, scanning,
completed) and see fine-grained details (such as client IP address, server name, bytes, savings, and
protocol).
Additional ICAP filters are available as well. You can also filter by:
• Type of ICAP service: REQMOD (request) or RESPMOD (response)

• Service name
• ICAP status (for example, display only the deferred connections)
Note that these additional filters are optional. If you leave all the options set to Any, all ICAP-enabled
sessions will be displayed.
Displaying Active ICAP-Enabled Sessions
By default, the Active Sessions screen displays all active sessions. When analyzing ICAP functionality, it’s
helpful to filter the list to display only ICAP-enabled sessions.
List ICAP-Enabled Sessions

Console.
Step 2 Display active sessions. Select Statistics > Sessions > Active Sessions > Proxied
Sessions.
Step 3 Select the ICAP filter. Use the Filter drop-down list.
Step 4 (Optional) Filter by type of ICAP Choose REQMOD or RESPMOD. Or choose Any to display
service. both types of services.
Step 5 (Optional) Filter by service name. Select the service name from the Service drop-down list, or
choose Any to display all services.
Step 6 (Optional) Select the ICAP state. Choose one of the following from the Status drop-down list:
transferring, deferred, scanning, completed. Or choose Any to
display all types of connections.
Step 7 (Optional) Limit the number of Select Display the most recent and enter a number in the
connections to view. results field. This helps optimize performance when
there is a large number of connections.

Monitoring ICAP-Enabled Sessions on the ProxySG Monitoring ICAP Scanning
List ICAP-Enabled Sessions
Step 8 (Optional) View only the current Select Show errored sessions only.
errored proxied sessions.
Step 9 Display the ICAP-enabled Click Show. The Proxied Sessions table displays the
sessions. ICAP-enabled sessions.
Of particular interest in the Proxied Sessions table is the ICAP (I) column. This column indicates the status
of the ICAP-enabled session, with unique icons identifying the ICAP status. Table 6-2 describes each of the
ions.
Table 5-2 ICAP Icons
ICAP Icon Description
(magnifying glass) Scanning — ICAP requests are in the process of being scanned
(arrow) Transferring — ICAP requests are being transferred to the ICAP server
(clock) Deferred — ICAP scanning requests have been deferred until the full object has
been received
(checkmark) Completed — ICAP scanning requests completed successfully
(i) Inactive — The ICAP feature is inactive for the session or connection
no icon Unsupported — ICAP is not supported for the corresponding session or

connection
Additional Information
Icon Tooltips—When you mouse over an ICAP icon, a tooltip displays details about the session:
• The type of ICAP service (REQMOD and/or RESPMOD)

• The name of the service
• The ICAP state (transferring, deferred, scanning, or completed), for example:
REQMOD Service: icap1 (completed)

Monitoring ICAP Scanning Monitoring ICAP-Enabled Sessions on the ProxySG
• When only one type of service is used for a session, the tooltip indicates whether the other type is
inactive or unsupported, for example:
RESPMOD Service: inactive
Sorting—If you click the I column heading, the sessions are sorted in the following order:
• Transferring
• Deferred
• Scanning
• Completed
• Inactive
• Unsupported

Viewing Statistics on the ProxyAV Monitoring ICAP Scanning
Viewing Statistics on the ProxyAV

The ProxyAV tracks historical and current statistics on scanned objects and found viruses.
View Statistics on the ProxyAV

Console.
Step 2 The ProxyAV home page displays If the home page is not already displayed, click Home.
statistics about the number of files
scanned and number of viruses
caught. These statistics are
accumulated since the last reboot of
the appliance or the last reset of
counters.
Step 3 View the statistics about number of At the top of the home page:
files scanned and number of viruses
caught.
Step 4 View historical data about ICAP a. Select Advanced > History stats.
objects and connections. b. Select one of the following:
ICAP Objects: Number of ICAP objects received during
the interval
Connections: Maximum number of concurrent
connections made during the interval
ICAP Bytes: Total size in bytes of ICAP objects received
during the interval
For each type of statistic, graphs of three time periods are
shown: last 60 minutes, last 24 hours, and last 30 days.
Here’s an example of the ICAP Objects graph for the last 60
minutes:

Monitoring ICAP Scanning Viewing Statistics on the ProxyAV
View Statistics on the ProxyAV
Step 5 Display details on the objects the a. Select Advanced > Detailed stats. The following details
ProxyAV is currently scanning. are displayed:
Concurrent connections: Current number of
connections to the ProxyAV.
Total objects being processed: Number of objects the
ProxyAV is currently scanning.
b. Click Refresh Now to see detailed statistics of the objects
currently being scanned.
Step 6 Display the results of past anti-virus a. Select Advanced > Detailed stats.
scans. b. Select Requests History.
c. In the Collect last ___ requests field, enter the number
(0-1000) of requests to display in the list. When the
number is set to zero, request logging is disabled.
d. Click Save Changes.
e. Click Refresh Now to obtain the most current data about
processed requests.

Creating Anti-Malware Reports in Blue Coat Reporter Monitoring ICAP Scanning
Creating Anti-Malware Reports in Blue Coat Reporter

For those using Blue Coat Reporter for their reporting needs, there are several anti-malware reports
available.
Table 5-1 Anti-Virus Reports in Reporter
Reporter Version Report Name Description
8.3 ICAP virus IDs Lists the IDs of detected viruses
8.3 ICAP virus URL Lists the URL associated with each detected
virus
8.3 ICAP virus user detail Lists the client’s login name or IP address
associated with each detected virus
9.1 Malware Requested Blocked by Lists all URLs that were blocked because of
Site suspected malware presence
9.1 Potential Malware Infected Lists all client IP addresses that might be
Clients infected by malicious content
This data is derived by the URLs requested by
each client.
9.1 ProxyAV Malware Detected: Lists each instance of malware encountered

Client IP during employee Web browsing, based on the
client IP address that browsed the URL
9.1 ProxyAV Malware Detected: Lists the name of each malware code
Names encountered during employee Web browsing
9.1 ProxyAV Malware Detected: Lists all URLs that were detected as suspected
Site malware sources

6 Additional Configuration
This chapter describes techniques for improving the user experience during ICAP scanning (via patience
pages or data trickling), ways to notify administrators about detected viruses, and several additional ICAP
policies that you can implement. It includes the following topics:
❐ Improving the User Experience—on page 6-2
❐ Getting Notified about Detected Viruses—on page 6-7
❐ Implementing Response and Request (Two-Way) ICAP—on page 6-10
❐ Creating User-Based ICAP Policy—on page 6-14

Improving the User Experience Additional Configuration
Improving the User Experience

To avoid having users abort and reinitiate their Web requests due to scanning delays, you may want to
provide feedback to let users know that scanning is in progress. This feedback can take the form of a patience
page, an HTML page that displays an informative message, such as
The content of the page you requested is currently being scanned. Please be patient...
Patience pages are displayed to the user if an ICAP content scan exceeds the specified duration.
Two other techniques for mitigating scanning delays are data trickling and deferred scanning. All three of
these techniques are discussed below.
About Patience Pages
Patience pages are HTML pages displayed to the user if an ICAP content scan exceeds the specified
duration. You can configure the content of these pages to include a custom message and a help link. Patience
pages refresh every five seconds and disappear when object scanning is complete.
Patience pages are not compatible with infinite stream connections—or live content streamed over HTTP—
such as a webcam or video feed. ICAP scanning cannot begin until the object download completes. Because
this never occurs with this type of content, the ProxySG continues downloading until the maximum ICAP
file size limit is breached. At that point, the ProxySG either returns an error or attempts to serve the content
to the client (depending on fail open/closed policy). However, even when configured to fail open and serve
the content, the delay added to downloading this large amount of data is often enough to cause the user to
give up before reaching that point. See Chapter 9: Configuration Best Practices for some alternate solutions.
About Data Trickling
Patience pages provide a solution to appease users during relatively short delays in object scans. However,
scanning relatively large objects, scanning objects over a smaller bandwidth pipe, or high loads on servers
might disrupt the user experience because connection timeouts occur. To prevent such time-outs, you can
allow data trickling to occur. Depending on the trickling mode you enable, the ProxySG either trickles—or
allows at a very slow rate—bytes to the client at the beginning of the scan or near the very end.
The ProxySG begins serving server content without waiting for the ICAP scan result. However, to maintain
security, the full object is not delivered until the results of the content scan are complete (and the object is
determined to not be infected).
Note This feature is supported for the HTTP proxy only; data trickling for FTP connections is not
supported.
Trickling Data From the Start
In trickle from start mode, the ProxySG buffers a small amount of the beginning of the response body. As the
ProxyAV continues to scan the response, the ProxySG allows one byte per second to the client.
After the ProxyAV completes its scan:

Additional Configuration Improving the User Experience
• If the object is deemed to be clean (no response modification is required), the ProxySG sends the rest of
the object bytes to the client at the best speed allowed by the connection.
• If the object is deemed to be malicious, the ProxySG terminates the connection and the remainder of the
response object bytes are not sent to the client.
Deployment Notes
• This method is the more secure option because the client receives only a small amount of data pending
the outcome of the virus scan.
• One drawback is that users might become impatient, especially if they notice the browser display of
bytes received. They might assume the connection is poor or the server is busy, close the client, and
restart a connection.
Trickling Data at the End
In trickle at end mode, the ProxySG sends the response to the client at the best speed allowed by the
connection, except for the last 16 KB of data. As the ProxyAV performs the content scan, the ProxySG allows
one byte per second to the client.
After the ProxyAV completes its scan, the behavior is the same as described in "Trickling Data From the
Start" on page 6-2.
Deployment Notes
• Blue Coat recommends this method for media content, such as Flash objects.
• This method is more user-friendly than trickle at start because users tend to be more patient when they
notice that 99 percent of the object is downloaded. Therefore, they are less likely to perform a connection
restart. However, network administrators might perceive this method as the less secure method, as a
majority of the object is delivered before the results of the ICAP scan.
General Deployment Notes
This section provides information about data trickling deployments.

Deciding between Data Trickling and Patience Pages
ProxySG configuration options plus policy allow you to provide different ICAP feedback actions
depending upon the type of traffic detected:
• Blue Coat defines interactive as the request involving a Web browser. Web browsers support data
trickling and patience pages.
• Non-interactive traffic originates from non-browser applications, such as automatic software download
or update clients. Such clients are not compatible with patience pages; therefore, data trickling or no
feedback are the only supported options.
Based on whether the requirements of your enterprise places a higher value either on security or
availability, the ProxySG allows you to specify the appropriate policy.

Configuring ICAP Feedback
After reading the previous section, you should have concluded if you want to provide ICAP feedback to
your users and if so, what type of feedback you want to use for interactive (browser-based) and
non-interactive traffic. The steps for configuring the global feedback settings appear below.
Configure ICAP Feedback for Interactive and Non-Interactive Traffic

Console.
Step 2 Specify the amount of time to wait a. Select Configuration > External Services > ICAP > ICAP
before notifying a Web-browser Feedback.
client than an ICAP scan is b. Locate the ICAP Feedback for Interactive Traffic section.
occurring.
c. Enter a value in the Provide feedback after ___ seconds

field.
Step 3 Select the feedback method for Choose one of the following:
interactive (browser-based) traffic.
• Return patience page (HTTP and FTP patience pages are
available)
• Trickle object data from start (more secure form of
trickling)
• Trickle object data at end (this form of trickling provides
a better user experience)
Step 4 For non-interactive traffic, specify a. Locate the ICAP Feedback for Non-Interactive Traffic
the amount of time to wait before section.
notifying a client than an ICAP scan
is occurring.
b. Enter a value in the Provide feedback after ___ seconds

field.
Step 5 Select the feedback for Choose one of the following:

non-interactive traffic.
• Trickle object data from start
• Trickle object data at end
Step 6 Save the settings. Click Apply.
These settings are global. You may want to define additional feedback policy that applies to specific user
and conditional subsets. In the Visual Policy Manager, the object is located in the Web Access Layer: Return
ICAP Feedback.

Additional Configuration Improving the User Experience
To customize the text on HTTP and FTP patience pages, select Configuration > External Services > ICAP >
ICAP Patience Page.
Avoiding Network Outages due to Infinite Streaming Issues
Infinite streams are connections such as webcams or Flash media—traffic over an HTTP connection—that
conceivably have no end. Characteristics of infinite streams may include no content length, slow data rate
and long response time. Because the object cannot be fully downloaded, the ICAP content scan cannot start;
however, the connection between the ProxySG and the ProxyAV remains, which wastes finite connection
resources.
The deferred scanning feature solves the infinite streaming issue by detecting ICAP requests that are
unnecessarily holding up ICAP connections (without requiring the ProxyAV) and defers those requests
until the full object has been received.
How Deferred Scanning Works
When the number of ICAP resources in use has reached a certain threshold, the ProxySG starts deferring
scanning of the oldest outstanding ICAP requests. Once the defer threshold has been reached, for every new
ICAP request, the ProxySG defers the oldest ICAP connection that has not yet received a full object.
The defer threshold is specified by the administrator as a percentage. For example, if the defer threshold is
set to 70 percent and the maximum connections are set to 100, then up to 70 connections are allowed before
the ProxySG begins to defer connections that have not finished downloading a complete object.
When an ICAP connection is deferred, the connection to the ProxyAV is closed. The application response
continues to be received; when the download is complete, the ICAP request is restarted. The new ICAP
request may still be queued if there are no available ICAP connections. Once a request is deferred, the
ProxySG waits to receive the full object before restarting the request. If there is a queue when a deferred
action has received a complete object, that action is queued behind other deferred actions that have finished.
However, it will be queued before other new requests.
Deferred Scanning and Setting the Feedback Options
Depending on how you configure the ICAP feedback option (patience page or data trickling) and the size
of the object, deferred scanning may cause a delay in ICAP response because the entire response must be
sent to the ProxyAV at once.
If a patience page is configured, the browser continues to receive a patience page until the object is fully
received and the outstanding ICAP actions have completed.
If the data trickle options are configured, the object continues to trickle during deferred scanning. However,
due to the trickle buffer requirement, there may be a delay, with or without deferred scanning, before the
ProxySG starts sending a response.

Enabling the Scanning Deferral Feature
You may have already enabled the scanning deferral feature when creating the ICAP service. (See "Task 2:
Create the ICAP Service" on page 4-4.) The steps for enabling scanning deferral and setting its threshold
appear below.
Enable Scanning Deferral for an ICAP Service

Console.
Step 2 Edit the ICAP service. a. Select Configuration > External Services > ICAP > ICAP
Services.
b. Select the ICAP service.
c. Click Edit. The Edit ICAP Service window appears.
Step 3 Enable scanning deferral. a. Select Defer scanning at threshold to enable the defer
scanning feature.
b. Enter a value (0-100) to set the threshold at which the

ProxySG defers the oldest ICAP connection that has not
yet received a full object.
Step 4 Save the settings. a. Click OK to close the Edit ICAP Service window.
b. Click Apply.

Additional Configuration Getting Notified about Detected Viruses
Getting Notified about Detected Viruses

To be cognizant of the ProxyAV’s actions on your network traffic, you can have the ProxyAV send you an
e-mail each time it blocks a file or detects a virus. E-mail notification requires that you configure e-mail
settings as well as designate which types of events trigger notification: found viruses, blocked files, or
unscanned files.
In addition to (or as an alternative to) e-mail notification, you can choose to have these events recorded in
an alert log that you can view at any time.
Note The ProxySG and the ProxyAV each have facilities for notifying network administrators about
detected viruses. Because the ProxyAV has options for notifying administrators about blocked and
unscanned files, in addition to detected viruses, this section focuses on configuring notification on
the ProxyAV.
Configure Alert Settings on the ProxyAV

Console.
Step 2 Specify e-mail addresses. a. Select Alerts > Alert Settings.

b. In the Send e-mail address field, enter the source mail
address to use for alert e-mails. (This address will
appear in the From field of the e-mail.) For example:
proxyav123@company.com
c. In the Recipient e-mail address field, enter the addresses
of the people who should receive the alert e-mails, with
each address separated by a comma. For example:
user1@company.com,user2@company.com,
consultant@another.com
Step 3 Enter the SMTP server settings. a. In the SMTP server address field, enter the IP address for
the server.
b. If your server requires that POP authentication be used,
select SMTP Authorization (POP-Before-SMTP) Enabled,
and then enter the authentication information.

Getting Notified about Detected Viruses Additional Configuration
Selecting Alert Types
Select the types of alerts for which you want notification and/or alert log entries.
Select Alert Types

Console.
Step 2 Select which alerts you want e-mail a. Select Alerts. The Alerts table appears. By default, all
notification and/or alert log entries alerts are enabled for e-mail and logging.
created.
b. Enable/disable alerts as desired. The first three pertain

to scanning results:
Virus is found
File was passed through without being scanned
File was blocked
After configuring the alert settings and selecting the types of alerts you want to be notified about, the
configured recipients will receive e-mail messages to alert them of detected viruses, blocked files, and any
other events you have configured. In addition, an entry will be added to the alert log.
Viewing the Alert Log
To view the alert log on the ProxyAV, select Log Files and then choose View log file in browser for the
AlertLogFile.log.

Additional Configuration Getting Notified about Detected Viruses
An alert log entry looks similar to the following:

ATEXT=Cause: Blocked file extension detected (engine error code: None)
File has been dropped.
2009-03-06 05:24:05-08:00PST
Hardware serial number: 2808101126
ProxyAV (Version 3.2.2.1(36678)) - http://www.BlueCoat.com/
Machine name: ProxyAV
Machine IP address: 10.9.16.74
Server: unknown
Client: unknown
Protocol: ICAP

Implementing Response and Request (Two-Way) ICAP Additional Configuration
Implementing Response and Request (Two-Way) ICAP

ICAP response modifications for incoming traffic are used for virus protection; ICAP request modifications
for outgoing traffic are mostly used for data leak protection (DLP). The same client request can have
request-modification applied before it is forwarded to the origin-content server and response-modification
applied as the object data returns.
To set up two-way ICAP on the ProxySG appliance, you must complete the following tasks:
1. Configure two ICAP services on the ProxySG: one for requests and one for responses.
2. Create a policy for the ICAP Response service for virus scanning of inbound traffic.
3. Create a policy for the ICAP Request service for data leak protection on outbound traffic.
4. Test the policies.
Task 1: Define the ICAP Services
Follow these general steps for creating the ICAP request and response modification services. For details on
all of the service options, see "Task 2: Create the ICAP Service" on page 4-4.
Create the ICAP Response and Request Services

Console.
Step 2 Create an ICAP response a. Select Configuration > External Services > ICAP > ICAP
modification service. Services.
b. Create a new service named avresponse (for example).
c. Edit the service.
d. For the Service URL, enter the URL of the ProxyAV.
The URL includes the scheme, the ProxyAV’s hostname
e. Select response modification for the ICAP method.
f. Change other settings as required.
g. Click Sense settings.
Step 3 Create an ICAP request a. Create a new service named DLP (for example).
modification service. b. Edit the service.
c. For the Service URL, enter the URL of the ProxyAV.
The URL includes the scheme, the ProxyAV’s hostname
d. Select request modification for the ICAP method.
e. Change other settings as required.
f. Click Sense settings.

Additional Configuration Implementing Response and Request (Two-Way) ICAP
Task 2: Create an ICAP Response Policy
Use the Visual Policy Manger (VPM) to configure an ICAP response policy on the ProxySG. This policy is
identical to the one configured in Chapter 4.

Console.
b. Click Launch.
AVresponse).
c. Click OK.
b. Click New.
object. b. In the Available services list, select the response service
(created in Task 1) and click Add.
c. Select Deny the client request.
Task 3: Create an ICAP Request Policy
Configure the policy for ICAP requests.

Configure the ICAP Request Policy
Step 1 Create a Web access layer. a. Select Policy > Web Access Layer.
DLP).
c. Click OK.

Implementing Response and Request (Two-Way) ICAP Additional Configuration
Step 2 Create an HTTP/HTTPS service a. Right-click the Service column; select Set. The Set
object for the request policy. Service Object dialog displays.
b. Click New.
c. Select Protocol Methods. The Add Methods Object
dialog displays.
d. Name the protocol method HTTP and select
HTTP/HTTPS from the Protocol list.
e. In the Common methods section, select the POST and PUT
checkboxes, and click OK.
Step 3 Create an FTP service object. a. In the Set Action Object dialog, click New.
b. Select Protocol Methods. The Add Methods dialog
displays.
c. Name the protocol method FTP and select FTP from the
Protocol list.
d. In the Commands that modify data section, select the STOR
checkbox, and click OK.
Step 4 Create a combined (HTTP and FTP) a. In the Set Action Object dialog, click New.
service object. b. Select the HTTP object and click Add.
c. Select the FTP object and click Add.
d. Click OK.
e. Click OK again to set the Combined Service object as the
Web Access Layer service.

Additional Configuration Implementing Response and Request (Two-Way) ICAP
Step 5 Set the action for the Request policy. a. Right-click the Action column and select Set.
b. Click New and select Set ICAP Request Service. The Add
ICAP Request Service Object dialog appears.
c. Select the DLP ICAP Request service and click Add.
d. Click OK.
e. Click OK again.
Step 6 Install the policy (all layers). a. Click Install Policy.

b. Click OK.

Creating User-Based ICAP Policy Additional Configuration
Creating User-Based ICAP Policy

You may want to have different policies in place for different users or groups of users. Perhaps
administrators should have less restrictive rules than other users. For example, you may want to allow
administrators to download certain file types (such as EXE files) that are blocked for other users.
To set up user-based ICAP policies, you must complete the following tasks:
1. Configure an ICAP response service.
2. Create a Web content layer that contains a rule for the ICAP response service for virus scanning of
inbound traffic. This policy must fail open.
3. Create a Web authentication layer that prompts for user credentials when a Web browser is opened.
4. Create a Web access layer with authorization rules that allow certain users access to blocked files and
deny access to other users.
Note These steps assume you have already configured users and groups for authentication (using
RADIUS, LDAP, Microsoft Active Directory, or other authentication servers) and created a realm on
the ProxySG to connect to these servers.
Task 1: Create the ICAP Response Service
The first task is to create the ICAP response service; you may already have created one earlier.
Create the ICAP Response Service

Console.
Step 2 Create a new ICAP response service. Refer to "Task 2: Create the ICAP Service" on page 4-4 for
instructions on creating this service.
Task 2: Create a Virus Scanning Rule (Web Content Layer)
The next task is to create a virus scanning rule in the Web content layer; you may already have created this
rule. However, with user-based ICAP policies, the ICAP response service must fail open (allow requests).
In other policies discussed in this guide, the ICAP response service fails closed (deny requests). Note that
even with a fail open policy, a virus or other malware will always be denied.
Create a Virus Scanning Rule that Fails Open
Step 1 Launch the Visual Policy Manager. a. Select Configuration > Policy > Visual Policy Manager.
b. Click Launch.
AVresponse).
c. Click OK.

Additional Configuration Creating User-Based ICAP Policy
Create a Virus Scanning Rule that Fails Open
b. Click New.
object. b. In the Available Services list, select the response service
(created in the previous task) and click Add.
c. Select Continue without further ICAP response
processing.
Task 3: Enable Web Authentication
To have users prompted for user name and password when they open a Web browser, you need to create a
Web authentication layer.
Create a Rule that Prompts for Web Authentication
Step 1 The Visual Policy Manager should

still be open.
Step 2 Create a Web authentication layer. a. Select Policy > Web Authentication Layer.
b. Accept the proposed name or assign a descriptive name
to the layer.
c. Click OK.
Step 3 Configure an authentication action. a. Right-click the Action column; select Set. The Set Action
b. Click New.
c. Select Authenticate. The Add Authenticate Object dialog
displays.

Create a Rule that Prompts for Web Authentication
Step 4 Specify the realm name for a. In the Name field, accept the proposed name or type a
authentication. descriptive name for the object.
b. In the Realm drop-down list, select the name of the
previously-configured realm.
c. Click OK; click OK again to add the object.
Task 4: Create Authorization Rules
The final task is to set up rules that designate which users/groups are allowed access to blocked file types
and which users/groups are denied access.
Create Rules for Allowing/Denying Access to Blocked File Types
Step 1 The Visual Policy Manager should

still be open.
Step 2 Create a Web access layer. a. Select Policy > Web Access Layer.
b. Accept the proposed name or assign a descriptive name
to the layer.
c. Click OK.
Step 3 Create a user object for the user you a. Right-click the Source column; select Set. The Set Source
want to allow access to blocked file Object dialog displays.
type. b. Click New.
Note: If you have created user c. Select User. The Add User Object dialog displays.
groups and want to create rules
d. In the User field, type the user name.
based on groups instead of
individual users, you can create a Note: Case is significant for local realms.
group object instead of a user object. e. In the Authentication Realm drop-down list, select the
Follow the steps to the right, except name of the previously-configured realm.
specify group information.
f. Click OK; click OK again to add the object.

Additional Configuration Creating User-Based ICAP Policy
Create Rules for Allowing/Denying Access to Blocked File Types
Step 4 Create a service object based on an a. Right-click the Service column; select Set. The Set
ICAP error code. Service Object dialog displays.
b. Click New.
c. Select ICAP Error Code. The Add ICAP Error Code
d. Choose Selected errors.
e. Select File Type Blocked from the list of Available Errors.

f. Click Add. File Type Blocked moves into the Selected
Errors list.
g. In the Name field, change the name to

ICAPError_FileTypeBlocked.
h. Click OK; click OK again to add the object.
Step 5 Indicate that this user should be a. Right-click the Action column; select Allow. The Set
allowed access to blocked file types. Service Object dialog displays. The rule should look
similar to the following:
Step 6 In the same Web access layer, create a. Click Add Rule. A new rule row displays.
a rule for another user/group. This b. Right-click the Service column; select Set. The Set
rule will deny access to the Service Object dialog displays.
user/group.
c. From the existing service objects, select
ICAPError_FileTypeBlocked.
d. Click OK to add the object. The rule should look similar
to the following:
Note that the default action is Deny, so it is already correctly

set.
Step 7 Create other users/groups to whom Follow the above steps to create appropriate rules in the
you want to allow or deny access. Web access layer.
Step 8 Install the policy (all layers). a. Click Install Policy.

b. Click OK.

Once this policy is in place, users may be prompted to enter their credentials upon opening a Web browser;
some realms may authenticate without prompting. Users who have an Allow rule will be able to access
URLs that point to blocked file types or have archive files containing a blocked file type (for instance, a ZIP
file that contains an EXE file). Users who have a Deny rule will see a screen similar to the following when
attempting to access a blocked file type:

7 Load Balancing Between Multiple
ProxyAV Appliances
This chapter describes how to set up load balancing of scanning requests when your deployment includes
multiple ProxyAV appliances. It includes the following topics:
❐ About Service Groups—on page 7-2
❐ Creating an ICAP Service Group—on page 7-5
❐ Creating Load Balancing Policy—on page 7-6

About Service Groups Load Balancing Between Multiple ProxyAV Appliances
About Service Groups

A ProxySG ICAP service is a named entity that identifies the ProxyAV, the ICAP method, and the supported
number of connections. A service group is a named set of ICAP services. You will need to create service
groups when you are using multiple ProxyAV appliances to process a large volume of scanning requests
(load balancing).
Legend:
A: AV1; a ProxyAV with 10 maximum connections and a specified weight of 1.

B: AV2; a ProxyAV with 10 maximum connections and a specified weight of 1.
C: AV3, a ProxyAV with 25 maximum connections and a specified weight of 3.
D: A ProxySG with a Service Group named AV_Reponse that contains AV1, AV2, and
AV3.
Figure 7-1 ICAP service group of three ProxyAV ICAP servers.
Your anti-malware deployment can have multiple ProxySG appliances, each using an identical ICAP
service group of multiple ProxyAV appliances.
To help distribute and balance the load of scanning requests when the ProxySG is forwarding requests to
multiple services within a service group, the ProxySG uses an intelligent load balancing algorithm. When
deciding which service in the service group to send a scanning request, this algorithm takes into
consideration the following factors:
• Number of requests that are in a “waiting” state on each service (a request is in this state when it has
been sent to the service but the response hasn’t been received)
• Number of unused connections available on each service (calculated by subtracting the number of
active transactions from the connection maximum on the server)
• The user-assigned weight given to each server (see "Weighting" below)

Load Balancing Between Multiple ProxyAV Appliances About Service Groups
Weighting
Weighting determines what proportion of the load one ProxyAV bears relative to the others. If all ProxyAV
servers have either the default weight (1) or the same weight, each share an equal proportion of the load. If
one server has weight 25 and all other servers have weight 50, the 25-weight server processes half as much
as any other server.
Before configuring weights, consider the capacity of each server. Factors that could affect assigned weight
of a ProxyAV include the following:
• The processing capacity of one ProxyAV in relationship to other ProxyAV appliances (for example, the
number and performance of CPUs or the number of network interface cards).
• The maximum number of connections configured for the service. The maximum connections setting
pertains to how many simultaneous scans can be performed on the server, while weighting applies to
throughput in the integration. While these settings are not directly related, consider both when
configuring weighted load balancing.
Note External services (ICAP, Websense off-box) have a reserved connection for health checks. This
means that as the load goes up and the number of connections to the external service reaches the
maximum, with additional requests being queued up and waiting, the maximum simultaneous
connections is actually one less than the limit.
Having appropriate weights assigned to your services is critical when all ProxyAV servers in a service
group become overloaded. As servers reach their capacity, proper weighting is important because requests
are queued according to weight.
One technique for determining weight assignments is to start out by setting equal weights to each service
in a group; then, after several thousand requests, make note of how many requests were handled by each
service. For example, suppose there are two services in a group: Service A handled 1212 requests, Service B
handled 2323. These numbers imply that the second service is twice as powerful as the first. So, the weights
would be 1 for Service A and 2 for Service B.
Setting the weight value to 0 (zero) disables weighted load balancing for the ICAP service. Therefore, if one
ProxyAV of a two-server group has a weight value of 1 and the second a weight value of 0, should the first
ProxyAV go down, a communication error results because the second ProxyAV cannot process the request.
Load Balancing
When load balancing between services, how does the ProxySG decide which ICAP service to send a
scanning request to? For each service, it calculates an index by dividing the number of waiting transactions
by the server weight (think of this as wait/weight). The ICAP service with the lowest index value will
handle the new ICAP action, assuming that the service has an available connection to use. If it doesn’t, it
will send the request to the service with the next lowest index value that has a free connection.
Load will be distributed among services proportionally according to their configured weights until the
maximum connection limit is reached on all services.
Example 1
Service A and B are in the same service group.

About Service Groups Load Balancing Between Multiple ProxyAV Appliances
• Service A can handle up to 50 connections, is assigned a weight of 1, has 17 active transactions, with 5
transactions in the waiting state. The index is calculated by dividing the wait by the weight: 5/1 = 5.
• Service B can handle up to 100 connections, is assigned a weight of 2, has 17 active connections, with 15
waiting transactions. The index is 15/2 = 7.5.
Which service will the ProxySG assign the next ICAP action? Service A because it has a lower index.
Example 2
Service C and D are in the same service group.
• Service C can handle up to 5 connections, is assigned a weight of 1, has 5 active transactions, with 1
transaction in the waiting state. The index is 1/1=1.
• Service D can handle up to 10 connections, is assigned a weight of 1, has 7 active transactions, with 5
waiting transactions. The index is 5/1=5.
To which service will the ProxySG assign the next ICAP action? Although Service C has a lower index than
Service D, it doesn’t have any available connections; therefore, the ProxySG will assign the next ICAP action
to Service D which has several free connections.

Load Balancing Between Multiple ProxyAV Appliances Creating an ICAP Service Group
Creating an ICAP Service Group

The following procedure explains how to create an ICAP service group and add existing ICAP services to
it. It is assumed that you have already created an ICAP service for each ProxyAV in the load balancing
group. Note that all services in the group must be of the same type (for instance, response modification).
Create an ICAP Service Group

Console.
Step 2 Add a new service group. a. Select Configuration > External Services >
Service-Groups.
b. Click New; the Add List Item dialog appears.
c. In the Add Service Group field, enter an alphanumeric
name. This example creates a group called avcluster.
d. Click OK.
Step 3 Edit the service group. a. Highlight the new service group name and click Edit;
the Edit Service Group dialog appears.
b. Click New; the Add Service Group Entry dialog appears.
c. From the list of existing services, select the ones to add

to this group. Hold the Control or Shift key to select
multiple services.
d. Click OK to add the selected services to the group.
Step 4 Assign weights to services. a. Select a service and click Edit; the Edit Service Group
Entry weight dialog appears.
b. In the Entry Weight field, assign a weight value. The

valid range is 0-255.
c. Repeat steps a and b for other services, as required.
d. Click OK to close the dialog.
e. Click OK again to close the Edit Service Group Entry
dialog.
f. Click Apply.

Creating Load Balancing Policy Load Balancing Between Multiple ProxyAV Appliances
Creating Load Balancing Policy

An ICAP response load balancing policy is essentially the same as a standard ICAP response policy; the
only difference is that you specify the service group as the response service object (instead of the service).
Configure Load Balancing Policy

Console.
b. Click Launch.
avcluster).
c. Click OK.
b. Click New.
group object. b. In the Available services list, select the response service
group (the one created in "Creating an ICAP Service
Group" on page 7-5) and click Add.
c. Select Deny the client request.


b. Click OK.
Result: Using the ICAP load balancing policy, the ProxySG sends ICAP response modification
requests to ProxyAV appliances in the service group. The load carried by each ProxyAV in the
group is determined by the weight values.

8 Configuring ProxyAV Failover
This chapter describes how to use two ProxyAV appliances to provide redundancy in case the primary
ProxyAV fails. It includes the following topics:
❐ About ProxyAV Failover—on page 8-2
❐ Creating ProxyAV Failover Policy—on page 8-3

About ProxyAV Failover Configuring ProxyAV Failover
About ProxyAV Failover

To ensure your network is never without malware scanning, you can deploy two ProxyAV appliances on
the same subnet and configure ICAP processing to fail over to the second appliance if the primary ProxyAV
goes down.
When creating an ICAP policy, you specify a list of ICAP services to use, in order of preference. If the first
service in the list does not pass the health checks, the ProxySG uses the next healthy service on the list to
perform the scanning. This alternate ProxyAV is called the standby server.
The primary ProxyAV resumes ICAP processing when the next health check is successful; the standby
ProxyAV does not retain the primary responsibility.
Notes
• Failover is configured as part of the ICAP policy definition.

• You cannot configure failover policy until ICAP services are configured on the ProxySG.
• To avoid errors, ICAP service names cannot be named fail_open or fail_closed (the CLI commands
prevent these names from being created).

Configuring ProxyAV Failover Creating ProxyAV Failover Policy
Creating ProxyAV Failover Policy

A ProxyAV failover policy is similar to a standard ICAP response policy, except that you add two services
to the policy (one for each ProxyAV). The order in which you select the services determines which ProxyAV
is considered the primary server and which is considered the standby server: the primary should be
selected first. The policy tells the ProxySG to use the primary ProxyAV for all ICAP scanning. If the primary
server fails, the ProxySG will use the standby ProxyAV for scanning until the primary server is healthy
again.
The following procedure assumes that you have already created an ICAP service for each ProxyAV. (See
"Task 2: Create the ICAP Service" on page 4-4.) Note that the services must be of the same type (for instance,
response modification).
Configure the ProxyAV Failover Policy

Console.
b. Click Launch.
avfailover).
c. Click OK.
b. Click New.
group object. b. In the Available services list, select the primary ProxyAV
service and click Add.
c. In the Available services list, select the secondary
(standby) ProxyAV service and click Add.
d. Select Deny the client request.

e. Click OK; click OK again to add the object.

b. Click OK.

Creating ProxyAV Failover Policy Configuring ProxyAV Failover
Result: Using the ICAP failover policy, the ProxySG sends all ICAP response modification requests
to the primary ProxyAV. If this appliance fails, the ProxySG sends all requests to the standby
ProxyAV until the primary appliance is healthy again.

9 Configuration Best Practices
This chapter describes strategies for improving scanning performance. It includes the following topics:
❐ Conserving Scanning Resources—on page 9-2
❐ Determining Which File Types to Scan—on page 9-8
❐ Best Practices for PDF Documents—on page 9-10
❐ Avoiding Processing of Cancelled Connections—on page 9-10

Conserving Scanning Resources Configuration Best Practices
Conserving Scanning Resources

The ProxyAV has a finite number of ICAP connections available at any given time. HTTP Web objects range
from very small to very large in size. A scanning resource (connection) is used for each object. However,
some objects do not have finite object ends, such as stock tickers which are data streams transmitted over
HTTP through a Web browser. Terms used to describe this type of content are infinite streams or slow
downloads.
Attempting to virus scan this type of data can potentially consume significant time and ProxyAV resources
(potentially slowing other scans)—until an error is returned. If allowed to continue, these transfers fail with
one of the following ICAP error codes:
• Maximum file size exceeded
• Scan timeout
The default configuration of the ProxyAV triggers such errors after the file size exceeds 100MB or after 800
seconds of scanning. While these settings are appropriate for other types of Web objects, they don’t work
for infinite streams such as Web cams and stock tickers.
Some client applications automatically retry a request if no response is received in a certain amount of time.
Also, users might attempt to refresh the request when a response is delayed. Refreshing the request can lead
to a high number of queued requests for the same object, which increases the competition for ProxyAV
scanning resources. When a client application is especially aggressive, it impacts all network traffic as the
ProxySG waits for ProxyAV responses.
Although the ProxyAV cannot detect infinite streaming objects by the type, you can instruct the ProxyAV
to abandon scanning of an object after a specified time, thereby freeing up a scanning resource for another
transaction. This feature is called Intelligent Connection Traffic Monitoring (ICTM).
When ICTM is enabled, the ProxyAV uses a specified download time (such as 60 seconds) to evaluate
whether a connection is considered slow. If the number of “slow” connections exceeds a warning threshold
(such as 35 concurrent ICAP connections), the ProxyAV notifies the administrator of the slow URL via an
e-mail or SNMP trap. The ProxyAV doesn’t start dropping these slow connections until their number
exceeds a critical threshold (such as 45 concurrent connections).
Configure ICTM on the ProxyAV

Console.
Step 2 Confirm that ICTM is enabled. a. Select Advanced > Intelligent Connection Traffic
Monitoring.
b. Make sure that the Intelligent Connection Traffic
Monitoring (ICTM) checkbox is selected.

Configuration Best Practices Conserving Scanning Resources
Configure ICTM on the ProxyAV
Step 3 Define what you consider to be a If desired, modify the default setting (60) in the ICAP
slow download. connections are considered “slow” when the download
Blue Coat recommends the default exceeds ___ seconds field.
of 60 seconds. The larger the value,
the more resources are wasted on
suspected infinite stream URLs.
Conversely, lower values might tag
the downloads of large objects as
slow, thus targeting them for
termination before the download is
complete.
Step 4 Specify warning threshold a. In the Log a warning when more than ___ connections are
parameters. “slow” field, enter the number of concurrent slow
connections at which the ProxyAV will send a warning
message. The default setting is 70% of the
recommended maximum ICAP connections for the
ProxyAV platform.
b. To send an e-mail warning when this threshold is

reached, make sure the Send an alert when warning level
is reached checkbox is selected. The e-mail is sent to
recipients specified on the Alerts > Alerts Settings page.
If you clear this option, no warning is sent and nothing
is logged in the AlertLog file.
c. In the Repeat warning alert every ___ minutes field, enter
the interval, in minutes, that the ProxyAV repeats the
warning messages if the threshold remains breached.
Step 5 Specify critical threshold a. In the Drop older "slow" connections when more than ___
parameters. connections are “slow” field, enter the number of
concurrent slow connections at which the ProxyAV will
start dropping connections to maintain a level below the
critical threshold. Oldest connections are dropped first.
This value must be larger than the warning threshold
(Step 4). The default setting is 90% of the recommended
maximum ICAP connections for the ProxyAV platform.
b. Just as for the warning threshold (Step 4b), you can

select to send an alert to administrators for each
connection that is dropped.

In addition to enabling ICTM, you should also implement a policy to control scanning of infinite streams.
The example policies below offer two different approaches and are not intended to co-exist. Select only one.
Solution A: No-Scan Policy
To enhance user satisfaction and achieve maximum performance from the ProxyAV, some customers
choose not to scan data streams that are known to cause issues. One benefit of this policy is reduced load
on the ProxyAV. The risk is that the exemption could potentially allow malicious content to slip viruses
through unscanned.
This policy is based on request/response patterns that indicate an overly large or slow download. This
policy assumes that the ICAP response rule is already defined; the actions in the policy will reset it back to
(no) upon an attempt to scan a streaming object or an object that shouldn’t be scanned. The policy looks for
very long content or objects in which no content length is provided; these are signs that this object may tie
up ProxyAV resources. The policy also looks for common infinite streaming media types as well as user
agents that are known to cause scanning problems. In addition, the policy defines URL domains that
shouldn’t be scanned (such as finance.google.com and youtube.com) because they are known to contain
infinite streams.
Blue Coat has written the Content Policy Language (CPL) for this policy and you can download the file,
customize it for your own needs, and install it on your ProxySG.
Install a No Scan Policy for Slow Downloads
Step 1 Download the CPL text file. a. Go to:

http://techlabs.bluecoat.com/policy/icap_noscan.txt
or refer to the text after this procedure.
b. Save the file to your desktop or other convenient
location.
c. Modify the policy to meet your requirements. For
example, you can add URL domains that you know
contain infinite streams.

Console.
Step 3 Install the policy file. a. Select Configuration > Policy > Policy Files.
b. From the Install Local File from drop-down list, select
Text Editor.
c. Click Install. A browser window displays the Edit and
Install the Local Policy File page.
d. Open your CPL file and copy the text.
e. Return to the Edit and Install the Local Policy File page,
and paste the contents of the file at the end of the local
policy file on your ProxySG.
f. Click Install. A dialog displays, informing you whether
the installation was successful. If necessary, correct any
errors in the file and reinstall it.

CPL for No-Scan Policy
; -------------ICAP Best Practices----------------------------------------------

;;; The actual ICAP respmod rule should already be defined, these actions will
;;; reset it back to (no) upon an attempt to scan a streaming object or an object
;;; that shouldn't be scanned
<cache>
delete_on_abandonment(yes)
<cache>
url.scheme=http condition=NOICAP response.icap_service(no)
<Proxy>
request.header.User-Agent="ProxyAV" patience_page(no)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This condition will match if the content length is greater than
;; 99,999,999 bytes, or no content length is provided. Both of
;; these are signs that this may tie up a thread on the AV for too long.
define condition NO_or_LARGE_CONTENT_LENGTH

response.header.Content-Length=!""
response.header.Content-Length=!"^[0-9]{1,8}$"
end condition NO_or_LARGE_CONTENT_LENGTH
;; Here are some common infinite stream media types, these will
;; also block some threads on the AV.
define condition MEDIA_MIME_TYPES
response.header.Content-Type="video/"
response.header.Content-Type="application/streamingmedia"
response.header.Content-Type="application/x-streamingmedia"
response.header.Content-Type="application/vnd.rn"
response.header.Content-Type="application/ogg"
response.header.Content-Type="application/x-ogg"
response.header.Content-Type="audio/"
response.header.Content-Type="multipart/x-mixed-replace"
end condition MEDIA_MIME_TYPES
;; None of these exist right now
define condition Missbehaving_Modern_UserAgents
; Add modern user-agents known to missbehave to this condition
; and remove the comment character (semicolon) before Rule 3 above.
;request.header.User-Agent=""
end condition Missbehaving_Modern_UserAgents
define condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
condition=NO_or_LARGE_CONTENT_LENGTH condition=MEDIA_MIME_TYPES
end condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
define condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH

condition=NO_or_LARGE_CONTENT_LENGTH
condition=Missbehaving_Modern_UserAgents
end condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH
define condition MissBehaving_Old_UserAgents
request.header.User-Agent="Winamp"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="RMA"
request.header.User-Agent="ultravox"

request.header.User-Agent="itunes"
request.header.User-Agent="forest"
request.header.User-Agent="Scottrader"
request.header.User-Agent="SVN"
end condition MissBehaving_Old_UserAgents
define condition HTTPv0.9_UserAgents
http.response.version=0.9 condition=MissBehaving_Old_UserAgents
end condition HTTPv0.9_UserAgents
define condition NOICAP
condition=VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
condition=HTTPv0.9_UserAgents
condition=UserAgents_with_NO_or_LARGE_CONTENT_LENGTH
; Yahoos stock ticker problem -15sep06
url.domain=//streamerapi.finance.yahoo.com
url.domain=//stream.aol.com
url.domain=//finance.google.com
; Other streaming media exceptions
url.domain=//youtube.com
url.domain=//pandora.com
end condition NOICAP
; -------------End ICAP Best Practices-------------------------
Solution B: Scan-Until-Error Policy
Some administrators choose to wait for one of the symptomatic errors (Maximum file size exceeded or Scan
timeout) to occur and then serve the data stream unscanned. This approach ensures that all data is still sent
to the ProxyAV—thus, the maximum amount of scanning can occur.
The downside to this approach is that all requests for infinite data streams must reach the maximum file
size or scan timeout configured on the ProxyAV. If a sufficient number of concurrent requests for such data
streams occur, the request queue will slow or delay other traffic.
This policy example serves the data stream if the error is Maximum file size exceeded or Scan timeout; other
errors are denied. Blue Coat has written the CPL for this policy and you can download the file, customize
it for your own needs, and install it on your ProxySG.
Step 1 Download the CPL text file. a. Go to:

http://techlabs.bluecoat.com/policy/icap_scan.txt
or refer to the text after this procedure.
b. Save the file to your desktop or other convenient
location.
c. Replace <resp_service> with the name of your ICAP
response service name.
d. Modify the policy to meet your requirements.

Console.

Step 3 Install the policy file. a. Select Configuration > Policy > Policy Files.
b. From the Install Local File from drop-down list, select
Text Editor.
c. Click Install. A browser window displays the Edit and
Install the Local Policy File page.
d. Open your CPL file and copy the text.
e. Return to the Edit and Install the Local Policy File page,
and paste the contents of the file at the end of the local
policy file on your ProxySG.
f. Click Install. A dialog displays, informing you whether
the installation was successful. If necessary, correct any
errors in the file and re-install it.
Code for Scan-Until-Error Policy
; edit the <resp_service> below to be the name of your ICAP respmod service name
<cache>
response.icap_service(<resp_service>, fail_open)
<proxy>
condition=!maxfilesizeexceeded_or_scantimeout_errors exception(icap_error)
define condition maxfilesizeexceeded_or_scantimeout_errors_or_none

icap_error_code=max_file_size_exceeded
icap_error_code=scan_timeout
icap_error_code=none
end condition maxfilesizeexceeded_or_scantimeout_errors_or_none

Determining Which File Types to Scan Configuration Best Practices
Determining Which File Types to Scan

As the delivery of viruses and malicious code is ever-evolving, Blue Coat recommends scanning all file
types. However, the ProxySG/ProxyAV integrated solution allows you to determine which file types are
scanned, or more appropriately, not scanned. By default, the ProxySG forwards all file types for scanning,
but you can create policy that includes or excludes specific file types.
Blue Coat recommends scanning all file types to attain maximum security against harmful content. The
following file types are known to harbor viruses:
"";ARJ;BAT;BIN;BMP;BOO;CAB;CHM;CLA;CLASS;COM;CSC;DAT;DLL;DOC;DOT;DRV;
EML;EXE;GIF;GZ;HLP;HTA;HTM;HTML;INI;JAR;JPG;JPEG;JS;JSE;LNK;LZH;MDB;MPD;MPP;M
PT;MSG;MSO;NWS;OCX;OFT;OVL;PDF;PHP;PIF;PL;POT;PPS;PPT;PRC;RAR;REG;
RTF;SCR;SHS;SYS;TAR;TIF;VBE;VBS;VSD;VSS;VST;VXD;WML;WSF;XLA;XLS;XL
T;XML;Z;ZIP;{*;
At the time of this printing, the following MIME file types are deemed low risk to contain harmful content:
audio; x director video
To achieve a performance increase, you might opt to instruct the ProxySG to exclude these types from
scanning.
Here are several examples for excluding/including file types, using Content Policy Language (CPL) and
Visual Policy Manager (VPM).
CPL Example: Excluding File Types
The following policy excludes the Real Media file type from being scanned because it is considered to be a
very low risk to contain harmful content.
define condition FileExtension_lowrisk
url.extension = rm
end condition FileExtension_lowrisk
<Cache>
condition= ! FileExtension_lowrisk response.icap_service(avresponse,fail_closed)
VPM Example: Excluding File Types
In the Destination column, a File Extensions object is created, which contains the Real Media file type; the
object is then negated (notice the symbol):
Table 9-1 Web Content Layer with a rule to negate the low-risk file extension.

Configuration Best Practices Determining Which File Types to Scan
CPL Example: Including File Types
The following policy specifies that HTML and ZIP file types are to be scanned:
define condition FileExtension_highrisk
url.extension=html
url.extension=zip
end condition FileExtension_highrisk
<Cache>
condition=FileExtension_highrisk response.icap_service(avresponse,fail_closed)
VPM Example: Including File Types
Another rule is added. In the Destination column, a File Extensions object is created, which contains the
HTML and ZIP file types:
Table 9-2 Subsequent rule with the high-risk file types added.

Best Practices for PDF Documents Configuration Best Practices
Best Practices for PDF Documents

Some versions of the Adobe Acrobat browser plug-ins, when interacting with certain PDF documents,
make requests with very large numbers of byte-range groupings. The HTTP byte-range request is a method
of requesting only a portion of the data within an object. A single HTTP request can specify multiple byte
ranges in a list using start and stop byte offsets.
The ProxyAV supports up to 70 byte ranges per request. For requests with fewer than 70 byte ranges, the
object data is retrieved from the origin server and scanned normally. If the entire object is already in the
cache, each byte range is extracted and served from the cached data. However, if a request has more than
70 byte ranges, the ProxySG is unable to serve the data from the cache and instead must retrieve the data
from the origin server and rescan it.
Some Acrobat plug-ins fail to handle the patience-page behavior of the ProxySG during these 70+
byte-range retrievals and, instead, display a blank screen. Such Acrobat plug-ins operate correctly for all
other requests, even with regard to patience-page operation.
Normally, this issue can be resolved by upgrading the Acrobat plug-in. However, if an upgrade is not
possible, or the particular PDF files continue to trigger this behavior, you can use a different type of ICAP
feedback instead of patience pages: data trickling. You needn’t change the default ICAP feedback; you can
specify data trickling for PDF objects from a specific domain. The following example policy enables data
trickling for PDF objects from Blue Coat sites:
<proxy>
url.domain=bluecoat.com url.extension=(pdf) response.icap_feedback.interactive(trickle_start,5)
Use trickle_end if you want the data trickling to occur at the end of the download.
Avoiding Processing of Cancelled Connections

When an HTTP request appears cacheable, the ProxySG completes the download, even if the requesting
client has abandoned the connection. This allows the ProxySG to store a cached version of the object for
future requests. However, for slow downloads, this behavior can result in each client request queuing a
separate instance for scanning.
To avoid the continued processing of a request after the client application has disconnected, you can enable
the CPL property delete_on_abandonment for certain client applications.
The following example policy prevents queuing of duplicate requests for a known aggressive client:
<cache>
request.header.User-Agent="Winamp" delete_on_abandonment(yes)
Note that delete_on_abandonment does not work when patience pages are enabled. It only works with data
trickling or with no ICAP feedback.
Alternatively, you can enable delete_on_abandonment for all clients, using the following code:
<proxy>
delete_on_abandonment(yes)

10 Troubleshooting
This chapter provides solutions to problems customers may have when integrating the ProxySG and
ProxyAV anti-malware solution. It includes the following topics:
❐ The ProxyAV isn’t Scanning Web Traffic—on page 10-2
❐ Users Can’t Access Any Web Sites—on page 10-3
❐ ProxySG Runs Out of Memory During Heavy Traffic Load—on page 10-5
❐ Scans are Taking Too Long—on page 10-5
❐ My ProxyAV isn’t Getting Virus Updates—on page 10-6

The ProxyAV isn’t Scanning Web Traffic Troubleshooting
The ProxyAV isn’t Scanning Web Traffic

Symptoms: The ProxyAV’s Home page doesn’t show any files being scanned. The History Stats page
doesn’t show any ICAP objects, connections, or bytes for the last hour (or other recent time period). The
ProxySG’s ICAP statistics page doesn’t show any requests, connections, or bytes for the last hour (or other
recent time period).
Solutions: If the ProxyAV isn’t scanning Web traffic, there is likely a configuration error that is preventing
the ProxySG from sending traffic to the ProxyAV. Here are a few things to double-check:
• Did you create an ICAP service on the ProxySG? (See "Task 2: Create the ICAP Service" on page 4-4.)
• Does the ICAP service have the correct URL of the ProxyAV? Does the URL include the same antivirus
service name specified on the ProxyAV? If you changed the antivirus service name from its default
(avscan), you must make sure to include this same name as part of the Service URL for the ICAP service
on the ProxySG. The Service URL should look something like this:
• Did you create a policy for the ICAP service? (See "Task 3: Create Malware Scanning Policy" on page
4-8.)

Troubleshooting Users Can’t Access Any Web Sites
Users Can’t Access Any Web Sites

Symptoms: All users get a denied message in their Web browsers when trying to go to any Web site.
Solution 1: If the ProxyAV is down and your ICAP policy is set to Deny the client request if an error occurs
during ICAP processing, users will not be able to browse the Internet — all requests will be denied. Thus,
if you have created your ICAP policy on the ProxySG before setting up the ProxyAV, users will not have
Web access. Therefore, it’s important to have the ProxyAV up and running before you install the ICAP policy.
To avoid the inevitable support calls that result from lack of Web access when the ProxyAV is down, you
may want to consider changing the ICAP policy to Continue without further ICAP response processing. With
this setting, users will be able to browse the Internet when the ProxyAV is down. However, this opens up
the network to potential viruses being downloaded during the ProxyAV downtime. (Although desktop
virus scanners might prevent this.)
Solution 2: This problem can also be caused by inconsistent secure ICAP settings for the ICAP service,
ProxyAV, and ICAP policy. If you want to use secure ICAP for HTTPS, you need to enable it in all three
places. The following series of screenshots shows the proper settings that should be in place to allow users
to browse secure Web sites (scanned with secure ICAP) and non-secure Web sites (scanned with plain
ICAP).
Figure 10-1 Secure ICAP enabled on the ProxyAV

Users Can’t Access Any Web Sites Troubleshooting
Figure 10-2 Secure ICAP enabled on the ICAP service (configured on the ProxySG)
Figure 10-3 Secure ICAP enabled in the policy for the ICAP response service (configured in the VPM)
Solution 3: This problem can be caused by incorrect SSL configuration for secure ICAP. Make sure you have
followed the steps below:
1. Copy the ProxyAV appliance certificate (Advanced > SSL Certificates).
2. Import the ProxyAV appliance certificate as a CA certificate on the ProxySG (Configuration > SSL > CA
Certificates > Import).
3. Create a new CA certificate list specifically for secure ICAP and add the ProxyAV CA certificate created
in step 2 (Configuration > SSL > CA Certificates > CA Certificate Lists > New).
4. Create a new SSL device profile for secure ICAP. Select the default keyring and the CCL you created in
step 3 (Configuration > SSL > Device Profiles > New).
5. Configure the ICAP service to use the SSL device profile created in step 4 (Configuration > External
Services > ICAP > Edit).
Solution 4: The anti-virus license could be invalid or expired. To check the status of the anti-virus license
on the ProxyAV, click Antivirus.

Troubleshooting ProxySG Runs Out of Memory During Heavy Traffic Load
ProxySG Runs Out of Memory During Heavy Traffic Load

Symptoms: The ProxySG becomes unresponsive and needs to be restarted.
Solution: The most common cause of this problem is setting too high of a value for the Maximum number of
connections for the ICAP service. With too high of a value, ICAP connections start queuing up, and
eventually the ProxySG will run out of memory and need to be restarted. When editing the ICAP service,
you should use the Sense settings button to have the ProxySG retrieve the appropriate setting from the
ProxyAV. Blue Coat recommends that you not modify the Maximum number of connections value manually;
let the Sense settings feature determine the appropriate value.
If you have two ProxySGs sending ICAP requests to a single ProxyAV, you also need to be careful about not
setting too high of a value for Maximum number of connections. If the Sense settings button determines that
the maximum number of connections is 10, you should divide this value by two, and enter this setting on
each of the ProxySGs.
Scans are Taking Too Long

Symptoms: Users complain about delays in Web browsing.
Solution: Slow scanning is most likely caused by the ProxyAV attempting to virus scan infinite streams. To
avoid this problem, Blue Coat recommends that customers implement one of the policies described in the
Best Practices chapter. See "Conserving Scanning Resources" on page 9-2 for additional details.

My ProxyAV isn’t Getting Virus Updates Troubleshooting
My ProxyAV isn’t Getting Virus Updates

Symptoms: The network administrator gets an email notification that the antivirus update failed.
Solution 1: It’s possible that the DNS server was temporarily down or some other network problem
interfered with the virus update. Try forcing the update:
Solution 2: Each anti-virus vendor provides pattern file updates that necessarily contain portions (or
descriptions) of viruses. Generally, these virus segments are encoded and are too small to be mistaken as a
true virus by other AV vendors. But occasional false positives occur. These can be prevented by exempting
virus pattern update locations from scanning, as the following example policy illustrates (place this policy
after all other ICAP policies on the ProxySG):
<cache>
url.host=download.bluecoat.com response.icap_service(no)
url.host=av-download.bluecoat.com response.icap_service(no)

SGOS 5.4 - Integrating The ProxySG and ProxyAV Appliances

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SGOS 5.4 - Integrating The ProxySG and ProxyAV Appliances

Caricato da

Copyright:

Formati disponibili

Blue Coat® Systems

Integrating the ProxySG and

For SGOS 5.4 and AVOS 3.2

Rest of the World:

For concerns or feedback about the documentation:

Americas: Rest of the World:

Document Number: 231-03045

Benefits of the Blue Coat Anti-Malware Solution . . . . . . . . . . . . . . . . . . . . . 2-1

Configuring the ProxySG and ProxyAV Appliances . . . . . . . . . . . . . . . . . . . 4-1

Monitoring ICAP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Integrating the ProxySG and ProxyAV Appliances iii

Displaying ICAP Statistical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Additional Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1

Load Balancing Between Multiple ProxyAV Appliances . . . . . . . . . . . . . . . .7-1

Configuring ProxyAV Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1

Configuration Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-1

iv Integrating the ProxySG and ProxyAV Appliances

Best Practices for PDF Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Integrating the ProxySG and ProxyAV Appliances v

vi Integrating the ProxySG and ProxyAV Appliances

• Blue Coat ProxyAV Configuration and Management Guide (version 3.2)

Supported Blue Coat Devices and Operating Systems

Integrating the ProxySG and ProxyAV Appliances 1-1

1-2 Integrating the ProxySG and ProxyAV Appliances

❐ The Blue Coat Anti-Malware Solution—on page 2-4

Integrating the ProxySG and ProxyAV Appliances 2-1

About Web Malware

Adware Software that automatically displays advertisements on a computer

Backdoor A method of bypassing normal authentication, securing remote access to a

Downloader A program that downloads and installs malicious software

Rootkit A program designed to take fundamental control of a computer system, without

2-2 Integrating the ProxySG and ProxyAV Appliances

Spyware Computer software that is installed surreptitiously on a personal computer to

Integrating the ProxySG and ProxyAV Appliances 2-3

The Blue Coat Anti-Malware Solution

Figure 2-1 ProxySG integrated with a ProxyAV.

2-4 Integrating the ProxySG and ProxyAV Appliances

• Outbreaks are smaller.

Malware Scanning Engines

The ProxyAV supports the leading malware scanning engines including:

Integrating the ProxySG and ProxyAV Appliances 2-5

Response and Request Services

Two types of ICAP services are available: response and request.

Web Malware Data Flow

2-6 Integrating the ProxySG and ProxyAV Appliances

Figure 2-2 Basic Web malware data flow.

Integrating the ProxySG and ProxyAV Appliances 2-7

2-8 Integrating the ProxySG and ProxyAV Appliances

❐ ProxySG/ProxyAV in a Closed Network—on page 3-3

❐ Redundant Appliance Topologies—on page 3-5

❐ Deployment Guidelines—on page 3-7

❐ Deployment Workflow—on page 3-8

Integrating the ProxySG and ProxyAV Appliances 3-1

ProxySG/ProxyAV With Direct Internet Access

3-2 Integrating the ProxySG and ProxyAV Appliances

ProxySG/ProxyAV in a Closed Network

Figure 3-2 Blue Coat appliances deployed in a closed network.

Integrating the ProxySG and ProxyAV Appliances 3-3

Basic Deployment: One ProxySG to One ProxyAV

Figure 3-3 One ProxySG to one ProxyAV.

3-4 Integrating the ProxySG and ProxyAV Appliances

Redundant Appliance Topologies